Daily Emotet IoCs and Notes for 02/27/19

Emotet Malware Document links/IOCs for 02/27/19 as of 02/28/19 01:30 EST

Notes and Credits now at the bottom Follow us on twitter @cryptolaemus1 for more updates.


http://119.9.136.146/sendincverif/support/question/En/201902/
http://13.234.1.52/sendincverif/legal/question/En_en/201902/
http://13.251.226.193/sendincverif/support/question/En_en/02-2019/
http://178.62.226.34/photosite2/sendincsecure/service/ios/EN_en/02-2019/
http://allwaysfresh.co.za/sendincverif/support/trust/EN_en/201902/
http://amazon-kala.com/sendincsecure/service/secure/en_EN/022019/
http://andrepitre.com/sendincverif/legal/verif/EN/2019-02/
http://annual.fph.tu.ac.th/wp-content/uploads/sendincsecure/support/sec/EN_en/02-2019/
http://beautyandfashionworld.com/sendincsec/messages/trust/EN/201902/
http://clavirox.ro/sendincverif/support/sec/EN/201902/
http://dansavanh.in.th/wp-includes/sendincverif/service/trust/EN/2019-02/
http://edspack.com.br/2015/sendincsec/service/trust/En/201902/
http://ejder.com.tr/sendincsecure/service/ios/En/022019/
http://gk-innen-test.de/sendincsec/messages/secure/en_EN/201902/
http://manisatan.com/sendincsec/service/verif/En_en/2019-02/
http://miamibeachprivateinvestigators.com/sendincsec/messages/sec/EN/201902/
http://pbj.undiksha.ac.id/wp-content/uploads/sendincverif/support/trust/en_EN/02-2019/
http://research.fph.tu.ac.th/wp-content/uploads/sendincencrypt/service/verif/EN/02-2019/
http://snki.ekon.go.id/sendincsec/support/question/EN_en/02-2019/
http://stage.abichama.bm.vinil.co/wp-content/uploads/Telekom/Transaktion/022019/
http://tobiasdosdal.dk/sendincsecure/service/verif/En/022019/
http://tongdailyson.com/sendincverif/service/question/En/02-2019/
http://view52.com/sendincencrypt/service/question/en_EN/022019/
http://www.e-noble.com/sendinc/support/verif/En_en/02-2019/
http://yduocvinhphuc.info/sendincverif/legal/question/En/2019-02/
https://idealo.zendesk.com/attachments/token/689OpPfVaSj4L7Ncyi8FFt4xV/?name=RECH_20190227_3ESR06710.doc/
https://tobiasdosdal.dk/sendincsecure/service/verif/En/022019/
https://view52.com/sendincencrypt/service/question/en_EN/022019/


http://01asdfceas1234.com/a8iak-jgp3hj-mojzf.view/
http://100.26.203.42/3zs8k-h63zl-wxelx.view/
http://104.199.238.98/bz0r-ggs2ov-setm.view/
http://104.223.40.40/wp-admin/my0m0-gnthea-trto.view/
http://109.97.216.141/dyrb-x1hjw-oepj.view/
http://119.9.136.146/ctkfp-ebmhpu-vifzs.view/
http://128.199.207.179/3eih3-1ksxl-oejpj.view/
http://12pm.strannayaskazka.ru/oow6-bz46h-kane.view/
http://13.127.110.92/wcs3-94yxcd-vpne.view/
http://13.127.212.245/6qjyn-g94xs-zeicf.view/
http://13.211.153.58/8wsh-smllpg-xnzdx.view/
http://13.250.36.131/jaftg-5e9j5-twec.view/
http://132.145.153.89/4k1x2-m9oc0-vmmfj.view/
http://159.89.153.180/ap98-at6by-cdkc.view/
http://162.243.254.239/Addon/5dp3t-c8l8w-pubkt.view/
http://178.128.238.130/9og3b-tgszo-jdfqj.view/
http://178.128.54.239/2wsb-8t237v-vkxq.view/
http://178.62.102.110/iy8ft-55dx13-hcviu.view/
http://178.62.63.119/cr6g-34dfz-mpupi.view/
http://18.130.138.223/d9qpf-ipr05r-dycvh.view/
http://18.223.205.30/0r8o-ns4l5f-qtcg.view/
http://18.232.11.96/8t71-ui9ht6-uelxv.view/
http://183.179.198.165/p7fle-3rdesj-bddr.view/
http://18930.website.snafu.de/qu6d-v4lnw-jufkf.view/
http://192.241.218.154/2c3a-bpnq07-jjde.view/
http://206.189.154.46/rixg-sujpf-fegbj.view/
http://206.189.181.0/y5ci-9nntk-wybaz.view/
http://206.189.94.136/ulzs-3fzff-wqwq.view/
http://3.0.82.215/7j5g-9i3o2-yjhc.view/
http://3.16.174.177/vf9h-i1ee8-atbe.view/
http://3.87.40.220/sy2k-7cnec-gwpc.view/
http://3.92.174.100/En/llc/RutK-agA_FxwEHKh-d2M/
http://3.92.174.100/nwdl-roqek-acbn.view/
http://35.189.54.101/tf2k8-5xqcb1-supyz.view/
http://35.198.197.47/woczh-s0pyv-zuojh.view/
http://35.201.228.154/uov1-dv9d5-jhnq.view/
http://35.202.216.83/m13op-xrpdb-bznab.view/
http://35.224.158.246/vf1a-nw8fy-ddld.view/
http://35.225.3.162/2fzbr-ao0pz-cggvd.view/
http://35.226.136.239/1w10a-avf50v-efqeg.view/
http://35.231.137.207/r3jy-qcg2n2-udnfp.view/
http://35.232.140.239/aw8w8-vm6sx-licn.view/
http://35.232.194.7/32qzn-1ixps3-ozgwo.view/
http://35.233.127.71/zjed1-iae7t-kdzwv.view/
http://35.239.61.50/io50-1yac9-peyr.view/
http://35.244.2.82/byoe3-yxdqu-sntk.view/
http://37.139.27.218/plhfa-qwlkx-ucixl.view/
http://47.74.7.148/veqv-e945w-jpkh.view/
http://52.32.197.6/nanolumens/resources/8won5-8vavn-bdwko.view/
http://54.233.125.210/k8y7-r0p2tp-ibbau.view/
http://54.252.173.49/xyzj-jjpi2w-wlmwt.view/
http://66.55.80.140/rzmh-kk0pto-mmeum.view/
http://88.191.45.2/@eaDir/@tmp/79fk3-g90qy-pljw.view/
http://91.239.233.236/k72fo-ym9bpe-mukci.view/
http://agemars.dev.kubeitalia.it/En/xerox/Invoice_Notice/COqyT-goAp_CudGa-SW/
http://ammedieval.org/wp-includes/0n8cz-gs36t-xhlf.view/
http://arvd.begrip.sk/20jg-6sc6gb-buzh.view/
http://avent.xyz/kc48-4x1o8-ybkw.view/
http://basr.sunrisetheme.com/03dtc-pxqrlw-sjvs.view/
http://beautyandfashionworld.com/074l-zvq2fa-mtpg.view/
http://belgrafica.pt/5gg2a-hixf6-rtxq.view/
http://blog.piotrszarmach.com/urilf-8t6kpt-quzah.view/
http://blogmiranda.inces.gob.ve/zzsm-qqz8fm-fhtu.view/
http://bookoftension.com/j4de6-53df2h-exle.view/
http://broombroom.in/n3et-qje8bt-meoal.view/
http://bsa.bcs-hosting.net/7qie-aiyqb-zmrxw.view/
http://caroulepourtoit.com/EN_en/Inv/VKZSf-LvA_xJtebNcy-NR/
http://cetconcept.com.my/wp-content/uploads/2019/01/niet-c5v8i-wgrly.view/
http://citylink.com.pk/h53n9-picx6-rzlyj.view/
http://cotafric.net/wp-content/uploads/mqex-6ftnhq-wrsir.view/
http://crab888.com/bxiw-e556c-hkgdg.view/
http://crmz.su/tcod-uqft2-ekuw.view/
http://dctrcdd.davaocity.gov.ph/wp-content/w5dp2-jlcse-comcv.view/
http://demopn.com/lab/components/l0hrg-ro7i0-hrrx.view/
http://disperkim.kalselprov.go.id/d2l7h-ncojqd-xlub.view/
http://dunnascomunica.com/dv9x-33toih-rsoew.view/
http://ellegantcredit.co.ke/EN_en/llc/44361141978579/ryved-iAI_NLLFGNJI-IL/
http://ellsworth.diagency.co.uk/gnp4c-ndbhmj-vfcju.view/
http://emaildatabank.com/gnmvu-4uin4m-zmnuz.view/
http://excelparts.com.pk/pvwm-gg48yb-mjtvd.view/
http://frazer.devurai.com/rf4x-88d32b-vxcm.view/
http://huongnghiep.ictu.edu.vn/7qhrj-plyho-ejnle.view/
http://icon-eltl.unila.ac.id/ioqmh-mr89or-nwuf.view/
http://insolution.co/qtp70-rwwqo-ljob.view/
http://jcipenang.org/wp-content/uploads/US/document/Invoice_number/NoCmj-BJp_SuaYH-B2w/
http://jrankerz.com/yodm-gwhd3-poqr.view/
http://kenjosh.xyz/8f21c-58yryc-jzty.view/
http://keytosupply.ru/i7vj1-c8sldh-iynu.view/
http://koszulenawymiar.pl/im9f-4aycvi-hyve.view/
http://kvartirio.com/i09h-4w9hx1-vvcb.view/
http://lojamariadenazare.com/8vvqk-3i8l1-znpuu.view/
http://machebella.com.br/jsoln-mu4e9-wvdza.view/
http://mailysinger.info/fo01-571onr-qpzoz.view/
http://multishop.ga/2mt3y-9gu359-ktbib.view/
http://municipalismovalenciano.es/US/Bavl-scIE_MHkrBon-unA/
http://nhinfotech.com/nz7t-z45ns-ezpje.view/
http://noscan.us/fk19a-8tt27-yolal.view/
http://petparents.com.br/En_us/Copy_Invoice/tHEZ-au0kE_TEkK-Z8n/
http://privateinvestigatormiamibeach.com/US_us/ZVbJQ-VVAP_YtuMZao-gx/
http://proffessia.ru/s5t0i-wnp0ba-ztswf.view/
http://rednest.my/En/company/84696069014577/hXOpt-Qbm_XjbOgowbA-GaV/
http://romanvolk.ru/templates/w2cp-aaj7c-kwffa.view/
http://stage.abichama.bm.vinil.co/wp-content/uploads/weytt-39y5e-mcew.view/
http://thanhlapdoanhnghiephnh.com/US/document/6191228/uuCL-3OEo_pscryV-Vzv/
http://tricountydentalsociety.com/bj14-29r1v-nszyl.view/
http://truenorthtimber.com/vrdn-mslda-vbmyr.view/
http://whiskyshipper.com/wp-content/ubgn-f6fy9-fone.view/
http://wp.10zan.com/wp-content/EN_en/scan/CsvlT-he7_GXt-RO9/
http://www.51-iblog.com/wp-content/uploads/2oumc-xmenvg-edij.view/
http://www.51-iblog.com/wp-content/uploads/6k0f-yqb5t-krgac.view/
http://www.coolpedals.co.uk/wp-content/youd5-g9q0i7-irvh.view/
http://www.timothymills.org.uk/pt7b-7rpbqh-dzidk.view/
https://www.brolly.tech/En/download/Invoice/zCXX-Rv_DFgWt-I7s/

Epoch 1 Payloads by Document SHA256 - All Times UTC


Creation Time	2019-02-27 17:57:00	(DOC Based - ENG - 365 Blue Box)
SHA256:
3de9427fff565381158fc2a9ace2752d9e7f74718979f86dbb495ebc0ed2bed1
7e480099ffa619624ecbd27fb03ef791c7d744543169347c9cea8b0a5864faf7
350db707bb1646c9fdcf34aed665d2d96d04839c97abcf7699187913550e829d
ee641a025fa2915029633196c366c05946098e2d68461d60677b3cdbced029fb
e57787c4e6d1867038f42a1f80b5cb1e3b301b0963fb2117238065b66ccaf8cc
b6eb9668969730bafd90c1e2deae5443f737c49c957de9e8069b2b20e5206b4c
61a02eea7fc5427f72604f0a6c43f837dcc01bde7563a9693a72e1cacda7885d
2a404f7aac42dde69d2dcb72b770e7e5c0df5c905579f1934995591613f8912f
3ed4a477922e1682a82b0227ad9aac85151cd8dffea68665256840c75c9a7daa
431b758b9681f37b19f8ce51417c96fe3282b96af76f7c54a487cb48841b653b
ac43bbfbce432eaa11ea5a48b8834459383eb80e9d160abec7c0b50ba524fe7a
df16e20d8fa25c26f2f6068af0032e97bdda870acf83f6585d7b993bb0b5b375
dfd949b077b215e6ff3ad53aedb276973368d8ebfdb3d61c3665ea77cae6d4c4
655b79dbc0dcde45579a4c53f19a8301a5b1a80edf8fccf3f0b3772ff42072dd
55ed8409eecf30e3d3e2e3ac22b2e77ea54c06962f56f79b9ba2fab7d970fc6a
d3f0a4c947fe683a2460aad594d72115ab2bd1513c3e98da7734cff473a92ed8
cbc6730e3f3f674459363499e08cd37d17bb09c5a3171995a8f485fe4d43c3f9
c353a122489246c2d7d675149c20ede74791dcdc36c94633f1839833ebd94a1a
38bd9d5813db378a9575d749261c8e94c035701e84e7bc98a783a54161ba4524
cb1a76ba21a90c53a6a0849ba6bea5131eb919b2cfb0559c4d6ea70fddcfe53b
39e7b2f64f71405675eb5f5d3a022130198a103ca33653ec3ded4d16fdbf959b
86fb425df71ce1b16f2b2eb1c186a5c2d94228d2f5b3e8c8b39783305f9af896
cad7e5fa8f15772c1721ff6dac947dc7c75e2798494b5604e46a6514e6ee4e33
7a350aebad143538ebdf07657565991f52f79267ba59fff28c0da730823c72df
9df28f945789bdc76dd8aafd2c173e2d147b86cf9d90326b9fac76fdd2bd06e9
14929d8e2b88e31e7325ac397b12f53863d7a71a587369616b568320af68f811
07f479ec4a5065ba5f3b61013f21f07af2ad8589104c64174c8fdf42e17a2f8c
8ace3348e51eebabe1594eda98b1c5e1eb6487fa2e9dd96a8296286de16df7e5
5f9a3591cbae52677cc32db6df60a51eb29b088a3a0452a2413abe9a4b7f2d58
a237972448dfd70bf77440e01e6b30ca703705efefe464f4566939e80bbdd948
2be438f8390083d19162697d33408f29d250f6a55c5d89478e6a44c359bae98d
9d19a573eaa3a6134c945e23944ef37109cfe54cabe69c95ca3239da4ccd6526
6c54d088a5832aeafdfe09ac71f31929bc6036b18bd050ee55d5877c99b0c7d1
00fdcd9777bab81d8dcda0b09525b9755ccf5d1aaf6125bb6ab50d20fe9d4f57
1b15fd9b6cbfdb0010a854026462cb27365adbe3c58961159e08fe4a17e73918
3da22388d32ca13a30ad5e1fcf3e252792b394955aeab4bcc2043c8f90d25836
b2a016bb48d5fb564d965cd99d81435b6f8c0d9520d3715befa2d3f0b76c9671
10873c326fc35dd98727fdcf0baad4ac1c318b8811f0f9ae7785bc2cbf2c6226
a120bce94be572168b2a8c7a84011ebdda3c0cc186734f0764b7f1d37e5d01d3
42cb7985412c1000bdd699fed2c189c4daf12c237a182423f36227f1e1cf5115
ccb52b8a8cb37e80627a91314f798106ad2361caa7053877152574028f8fd647
8a5288077823dfd497621430c0038f8378d1e2000390c35da568f771ec309f7c
3d5611f7cfc08978d514dbded9342e6d1aa2def50dc6e36fe09da77ccbb18680
d9e79e5b3ecbf821a7dd582f7b57b88ff7841a9c6b7bb974879195077ebdac50
b899d07b28815ffc6ece9671f424b272740774217d12c103ec50bec9121cde4e
90e9a119405a5c9563fb875813d103617f9af4f27e21513dd8d3cce690758e69
f61b85c2a00c2522eac2a55044598cb99126f07cecc92f5eadf218615d5afe3b
04f4d53da683b57017b08f05bada9075980bcaf03f620dafb00b69aab881b42c
316df27e602df69523549fb89f2e126be17f75ce42686d902c80634c0ffa500d
f54849f9f1268900da31a41a1a64a03b4407001bb3abc2ca2c180f81f1471984
875f5f093d5edb996f38f4970fd52f0786a2429471bcba3e768079dc12de9530
eb21c8edf63fae2f408ae71ef9a788a01e981bfaa34f8821a7aaa64593d17421
34582bbe51f7151b966e125a13a9e8b4eb27e36b4c7450ff0774905c1f40ea91

http://23.23.29.10/YaXUeO5K/
http://35.204.88.6/heu0n72I/
http://3.89.91.237/MLCMkrc/
http://uat-essence.oablab.com/wp-includes/oY8j241xM/
http://34.207.179.222/7SQrziN/


Creation Time	2019-02-27 13:17:00	(DOCX Based - ENG - 365 Blue Box)
SHA256:
1bb948ea6a642404c81eff109bd3bf4de8d17371bd084d3636e5638345cc5020

http://japanijob.com/UUC8iEfIfb/
http://103.11.22.51/wp-content/uploads/yoarKX9/
http://13.126.28.98/hPwXcgCZBx/
http://159.65.146.232/ugitr4t4L/
http://159.65.65.213/iz1Cc1GhZ/

Creation Time	2019-02-27 09:22:00	(DOCX Based - ENG - 365 Blue Box)
SHA256:
b99528c00d6ac14bf99ade801638f8deb78ba5c610ead5ca6ac68a69f95547bc

http://iso-wcert.com/JREjsr1Ai/
http://emirates-tradingcc.com/wp-content/XUMY1h33zJ/
http://healthytick.com/wp-content/uploads/j900PD5h/
http://caminaconmigo.org/wp-content/uploads/q7wmIj0/
http://neumaticosutilizados.com/tpexfplWv/

Creation Time	2019-02-26 18:49:00	(XML Based - ENG - 365 Blue Box)
SHA256:
aca06c8f7084de9ab72d8a361d327f4795a70e26296f196a5638fc6bb0641401
d6fba7cc6d1bf18162b4f93ae9edf531ac5e7c4a94f5ec2b66d2132fd6a3497d
852f31e672b297f2cda4a45b1be84db54f35f90a1fcd86acda0a727e7a6a679c
91c28ce218ea2714f34e1f1282713030db675cc1a349a766ebb2e1cbbcf07853
09f58a77538eb0e8244611cd718661f7e60172d370e6e1bcb2209b4034172469
4eb3ef8eb656b01bdc72e086d3f29ae3b9a2b0de38e350f764f408b3675b6bb5
38fa382996c415286f4d6dd5eef8a91120b190cce21b4805f0ca98f2d842ae17
f9ebb2d70e98c849f0f27ff3076d907a329309fffb7d85ad434f57e58cce108f
23621abfbfc0dd988d9c6348ce1d3f04f60786b5b5bb5fe81fa086c219710457
b66a1fdd95b1100a673947c3d858ac69fb5cc46fa72ba89a44222a9894c6c8ac
3e691d74b5dd13743471203c0fd337561c02a04d9a314164dc335ad0f75f36fd
fe83c159702930a78c43ff4befa164b315140c93b717d2a987742b7f9b56fb69
b65abe2bc70d26f3180215006a72adfb5565602bb696736af655a5b1d5488081
832a005ede634155c1d720c308bcf0779e9700fb8e3698f3b01c06ac23670436
1f95c1af1e74ca80e647791eb97e3b67072b473244e0fda65da5dfff9a75a8a2
15cc699a8f1d97892ea2875ccf093cfbab3df5376f6e6b84648f0367e2716ceb
72f1564103c5c69cab5221731c42bb6eea30a8ce8d4da8015d052f71b3849f5f
a7af93422d03617f5c577db58fe469937e831c79a7691406eb7b458e7f4715b6
192cd102c7fda37f2d7f0a6411ce9fb3a95a00bd6021280c466682d7850a94eb
1634cdef680710dd4cdad340e2e173d5804e2e8ceb15f7150fa84acf6d6aa450
2f37984c5d62da70df37fe6a990206053d5e6280e10425e4d27691278cf913c6
664e468efaeede7cacbfaf2b9cb325bd3604a138f67b3b7dffcf96942e7d6cd5
c65c750562832bb907c0a992cd6ec5ee68dd83c16a0859c8e0b2baafe504c297
da3b6dac8ad9b8b7c4d86fcbcf5b9af37b6b65714043d6f58e2237e47d870a92
5abb9539e39d237dc7205ab4459a0066273ed78eb95528b5cae3d7dfdaeb2027
b033b23434817a743849e2a2d060ed9cb0532220f533e5cf55360722b6ea17e0
88e9d770691f6761c415039a8a068b5c11ee3025386b60b6254f89fdc60e676f
eb65ed486e76055181a5fe9a616830adcade99b5525f582e7cd68435002aa04c
64856c155c23fd4314fe1abd7056d307e6572a084ae2c01a5781dd876f880b62
8278814ac97824ff9ef6c0681e3c16fe0bddd7c2b5809f3ae1e4a9b1aa3fb720
477c8c8851e7c2734d40d7edbc2ee3bb8b5b61f4e8312c9432122ae687d73e21
1029e48c442e39f8a765ff26b6fa8776aee70c7a1ce284ee505a2bd0f8840e8b
81648b4f2c4f298ffcb522debc9959974e865047bda75982ad318f245e2109ec
9abdc884ed6dc9bad81c048502b7f87c9b2ed0aefa90c2e3170de4477cdf22ec
a4bb873c6b291a1620ac1144b101a611ec8e0aa54f95c86a4a86783bbd39bbc2
56b1fac56be6b0999ce5e950ae19a66434d6cabc1fcada83104bedf21c4cf163
51a5321b13a728495d186452985568a696f32c647175486063391b061d098811
95a8aa1411f276844ac6779e6c23b766e5ec06073b710307884935e73411b1a2
c0661e6d4c86df3f68baba1cc3f90aef917d289feaa6910db1a2e61381694e98

http://senboutiquespa.com/l5oBTin/
http://tktool.net/13BDYWM/
http://icebox.hospedagemdesites.ws/NFUvcViiv5/
http://specialaccessengineering.com.my/eof86bw/82NbuvX/
http://siamsoil.co.th/S1st9g7E/

SHA256s for Epoch 1 Payload EXEs seen on 02/27/19


5e5e5437c59f0472cbb10c30181f94e62e2ac3f7a42b5bd0716e2f03fc2e6311
c103b8019081da8b4dbd577398e83a29301b5c83e7ed0f9b53089208312c1c42
8ab3f8fa6ddc60cf5bcf51079f2d7f20bbe3121a73895f043da950c691efdb21
f53df3ab0c3646c00b2cc3c946960ff9c95ddf2892197750e63c7b1b8e504960
df6bd175938e67e075eba98b87f4262c84d1b808edd1c2e4b20f571ff8102f8f
9b7dc0c720016ac3a9206569800c9909ae7b3e57d60cc2ffc4daf3c3663dc144
3cb575ccdcbd7cb68ac152d544097e7e21fa3c592e113f35fe697e2da81411bd
656f37c567caa9dc30baa6356324b3f38db52850a744da3bc71366cdbc76d8e0
ac0fb3eec03cf8e3829a0b7bf3eafacca8cfdc210bf345613f5a48d03a0830a4
719b3fca81609ed32e82dd9e42c18521ac1d7df510425e78577308178a8f9dda
8a75aecb5e76dfcf8dfbb7692bb150a6fc305a5389f9d70ef51906b61fbccf6d
feed1171593f5f9b581ee4d2f3244125100b47268e2d48a2bb1fdaf081efa6b5
1381603b8c8723177a5ca91728e2768034a1fe634fa38fca3db4e2c2eebbe9d4
44a1d1b16d3c425559b2072b81657a81e6b3ff7231cd4260fe78aadc82a1ba4c
b94d23cf2c6f8f5ba4bd489121886845d34dc57f1a8f26810d5aeb0546d784fd
badc69f525deb8b872eda4e2978bb544dd2ab10af847a1605ad23ace67291e0d
9d8d3cb2f13dab7f5204bc3afc17dc5a8c5871e5873697b3e39cd0b048d7372c
0fb2094497f586c22bff3464d37d623eaefc20f86a66474ed3ef9a80952144a8
0929f459ae5009c32010e92a316a9e93e8b1f0f73caf061a167424379aba11a8
f727c3dc8b34a826df5d90e0b8d725b0e23515ddcd77ab91f3bbe5e17ed0d56c
39c115bd859b949cb16ae0a452b66e8dcca4f9599cba8bcc57c19f4d54b3d5b6
dbecf3ace0d6fa2996988a14fc3ec06cf5d78793f1ffd9015219518c5378d237
c3e586fdb0151cb0968d077e22141cf92024571e2fdcc264a15423123892c1d6
fa84261d86baead5678b335a77ed15b41ac2e712d9232a6944afacdbf7397ecb
baaaff5b57a37a24d4731c5d0f358da0353a0f2bd65c34b25bbad1166c2ac1ea
cca669e501cea23f2a20a2fdb846e3e2a6a3d571b017425524f9b3da31497f76
681ea4e186b8ebcd129145b052e5956470bf36c1fd44af601fcd5e985a728c1a
14822796f25ade0ac760f890e1abee2eed3b33164cf26ee85f41cf75a4ff5565
0c50c47860f4bce5196e13d92302cbb11783042c04e0661b9877382a21d42805
7ec2114faf2c117d3d19f6eaa1e321dde9af87ddf1c0601504e801c09a89b109
ff28286015e374ec96eee2f0f8696f8c09d806c74f2f5c8bb88bee22dadb4d8b
004744bd4615962f7b18cedd09486a460b79e9d74023ecc9135f945b26a54e3c
b0eca31c51ac29ab925ad55484d59cd3dbd08e33d14d77490329b0252d344e36
00683b6d0e708f056339a1c43b84dd10385c5a82caebc5e44cf2076f00938ac1
f19c5156038ed054881d7585277b6aabcfac775167c1d829a90e74608c744f30

Epoch 2 Payloads by Document SHA256 - All Times UTC



Creation Time	2019-02-27 13:08:00 (DOCX Based - ENG - 365 Blue Box) 
SHA256:
d2ff05ca4592e4f36a5b5da1ca5229c5b6c464d7871fb3b60f5ec440c1afae1e

http://saigonthinhvuong.net/NuqnyGVMdzOnA/
http://acdhon.com/wvJZL4qzJvJ/
http://canhocaocap24h.info/JelJh5aIRIOmyK2/
http://13.229.153.169/vLm7bTI1bXxCI8Tn_5hh7/
http://ibakery.tungwahcsd.org/media/m8PnOehN8bW5h3q/

Creation Time	2019-02-26 17:22:00 (XML Based - ENG - 365 Blue Box) 
SHA256:
5bfec51fa15407b97649e82ac75431c0396834a58f479c5867a2c6cb3dc79f16
2f4a8b985f604f98966c8b90f9e0eeb15faf9b946a74098e7e02e1daed32321f
b503f5345f1e2d0c94d3badad9dcb7e81693b7957dfdf678e7e38538c6ebe0e1
9da586512816c7ea64515606ddb2091b69ff2275dafa91e8e22cd35e3071e185
418fbb192d7dffd5566f8ae6103d6f4acd61617f8fa24ad798865cbffee8f316
39bdbe2bd134e87f809971d63830f3d7317573e648673a89ee7ee5db1dab6bd7
24ade1226ecf9646a624a0aae717841d1d95fcd73e6879f987976478b875feee
45cf732e41764f690bc76ffe3c102b22b46c0ee59276458e6d25c18cb8973c63
33c7c6dba2b9e22d96f5a15f9b9b2e5febc856c61e6db04bc6ad6402e14f6f69
1697aede6b63b12e4bd3c7fd5315f869bc03c8dcfe7ad124c68d2e2243baaf9b
4e18c01207fe70c74e7f683f04fbede2a2ac549d5705eff1e2957cfcc03b8171
9e431411937a9edea2200ee76b5c537c851e076a1c879321d7d8a3123aebe49d
c5d6ccfa326d2811f3c73232234da81f462f443e675cf2c66ce528ddf9e0c00f
064ec7577a0395a67d194ff45ecd8212cf190a7d490eeb3d91037b9f54e20735
1c5154672bb992fb8dfde30f46bed885230d6f59f06109064d6640bf78e15644
5087d318c84a0da1f4285d235349d7adb282dd22ed82b57f333482e2ce490762
d74a5240f866ba6fe1cd3191801478b52e1b6c6eb2d816071d7bc82857b2837c
fd4e8e8b9b9012e0f749cb4aa5674c51e5a59cf61a7c1e03bd824002cc388f7f
5de9907b9809bc4bbf7681bd234e2a1b4ed94ed1fcce3d65458e7b8e5c9273a8
d779789debf838e39c7b156c77d7608fe056cfdbe3912e310ac675c20e3b4366
6f3ea054beeae0724d4009af18e36320a13ea56caaea871e69650553bb0348c3
81145b2fb2844320be87e4a46c610e59bec1cd87927fee9ec27e030ea86cc277
66148dc14d4a2f6d80e3dbd5c7306d80b512cabef278730219ba8ff9a4cd9e77
e55d99ff1e0089f1be742791bb4063d80064af7453d632ea4a92201ab4a3e3aa
11cbcbc4275ecb231eda3d05ee36174c171df853002b630ead6ac48df6a3a352
4257c368698066d0d22875607b377c75382bbf633ad33e1920974ee9853eaf29
f64c4380f53448103e34059fc107f79cc9a3e3f30274b34e11c9e98e3f237a60
6b33974cf79a733076ed546329a0aa4c588594f6de2270114e003593d0d06098
689174eb7b2355558698cca49c0e9dee6ea2c80f67feff50d1d8adedc71d235e
9d6be45e1f04e6ccd2bf9eb63259037f9feca6afdbe115e391826b048f0ea6ef
edae1160cf43fcea54b34250a4832d0be5393128bf5ed6e4c69029c70d9e50dd
ca7ddb6228b5f173aee45abb7c6483c6bcd54fb089faa1a04a971b85b9d951db
77d6ec52d43bb8fc016e372a722e225f12fa2a13ccbdc044baf3227a7b5621f0
22cc274e9722677b5cbaa3bbb05f239d467eeaeb87914d7c6be602aaea19643b
0530a476eec6f9294ae9223e49787fe5046feac331f1ba645d70ca57932e791c
26151bade4306066274f3a6cbd3b822685802231cbdc2e011e20c6c86c696113
9b75ab63c39d355b22683608302b841dddd552fa78dacb9eb1afb87229f4bb57
4f658c3f7b071b9df4d99dfbe97d9b38ec634e96467ae7bf7c7e34ec84d8972e
1855a41ff3fa8bbdae33458f03070e2b89f3513b910d20bc7c14307949d23edc

http://www.bersamakacasepatan.com/XpYHO9Iss_YTI20Qvw/
http://icon-stikepppni.org/zwPEso5VK4DW/
http://nailart.cf/f81y3PKllFl8mU/
http://moonyking.site/nIfkmaGIxu3_Ki/
http://monikatex.ru/wp-admin/LBefv2g_2Wyik/

SHA256s for Epoch 2 Payload EXEs seen on 02/27/19


629a81a1043d9c984954c86b73d932e3c02eda0f7f8c8258ed7f498fb13f9c18
19bb9816b6a39461b9811ef4c3c911436e6e6b6dd61ba6392be31411d3ec7d38
bf55bf5c08dd53d850dde5f00c9eb5ac8bfe975401b0f368094cd48486042f0c
a8f618ae9cc76aa4ffd646dd9b2092f9970080efbb3198b16ba69543ab4a55dc
0895b6c912bdf4f3432dd2cc9c5aa32bb3e9dbbfa90c67e15460a3e20a38fdb5
4a0ed67ab6be9abbdd646a9372433b5537464f28a8616b773116b80cbbd7f6f6
bd5e99ff3cd6ed8fd24683593c5cd1755e51360403fb565414b7cecba6ed874f
9900bc02c5ff5ddf0b1eb7267ee17ef6d716816f7e24b1eb7112c8c2a08c643c
b8326fbb086bdd716e30ec0054374b7c17ccdc29660971293157bc9050a3d7c1
32de5df041fb6e4f58570297601f91e65c57daeef16538b62693aedf7bb2a596
59b40866ac8deccc26237c03c63dcea749de4b571b262c7c2e3c631203f401ab
04781ca20db88b190e9fbaa81edf36e59edf2cf1966f38b092dbe129fd9bc724
0d73fe7a06d60d97970220a2a8e4c7d48f863a8145a1b5b668d394d7f0a751f6
eeffce156603c787adcf041edf0bfec4be1c45fbb31ecd8b0865e297c6af829f
0e075d5607c26416f4bae6b19021fea91d93dcecc1b09a17c6a77ff1575a9c69
13d79566a9a302000b2b1bcf9a1410e0ae5982c72f23baa3b437c7952f41f602
b7e2b2735a13fc58c600f7cc65033c77cf6413afba5012663efc0ba5257da485
342485e407e0833b21adb6561f2ad541532c285411ed646e140c2c34caeab54a
8a477a0c8efc07abeb58e7754c7fa4b0f8994e3353a0b6d7af6da43cbb9e1773
c5ab5334bb981c762b1e2534f41178883c668dab949e3e6374e28f2b7ae9623d
67b3dffd05ce5963dde839074b8c1c6384e9ba94ead43d2d9dbc797f0918e9f3
23c6247d3a41880d93f94392743124f6072cd21bfdb708e5376cc61b7a919596
355749c74abf61f21b2211d7afed9d48e47aeda8f0521245249a749dd8dbc53b
e61ffb7b227c2c21a8b3dd90520a9717a1d2a1fafa952560fd4b0cb242c52c23
c10b3f8510e3781ca3d8e5a5b4005bef0ad84def9f9e9fce83e27de7483f2736
9d8336d1d271e5712911abbe3b1e58e3d59fa170ea17bf853526d58500a7632f
946348ee25645799388a665f52bbf241d1505ad0bf8fda2afe04860d403b30e3
a4ff456cda4200a91a75afd1a7a2bd97c57762c5bfd39635b53b39a428b96fe4
0968581a0204788e2749202e88d8bb5af91f59621afc78fd6ba4f3d3d0332f4e
99a859bc6ad77e9cede917f0cbed02c3c2ac096be54969191c8e86f0dc23e21e
db8c839bf123eaf05229c178a34a5932c7f52b5a292096eb003abcc5508c87e9
fc67db4480ec587e67eb86cdd728eb3ed709e699869b1ddbba1193b4c8a21bed
d96ba1667275e1081494778a6f1173f8a3c0a4cc58394b61c5b583a523c00ea0
88f6f285e4223733943038cac220687d9eba3c067656d109be2e2e56efc649c2
1c5858044666f63c59465616034cce265ad0b35a492fa9988b5ca1e1002cd730

Epoch 1 C2s


109.104.79.48:8080
123.168.4.66:465
138.68.139.199:443
144.76.117.247:8080
159.65.76.245:443
165.227.213.173:8080
168.226.35.218:80
173.94.53.3:8080
181.168.123.241:443
181.29.214.233:8080
181.56.165.97:53
183.87.87.73:80
185.86.148.222:8080
186.103.141.250:20
186.137.133.132:8080
186.176.27.230:8080
186.68.100.2:20
189.130.56.200:50000
190.191.218.44:80
192.155.90.90:7080
192.163.199.254:8080
194.154.80.106:443
200.27.55.100:443
201.212.113.14:50000
208.180.246.147:80
209.159.244.240:443
210.2.86.72:8080
219.94.254.93:8080
23.233.240.77:8443
23.254.203.51:8080
24.219.3.156:80
41.60.202.26:22
5.9.128.163:8080
51.255.50.164:8080
66.209.69.165:443
69.163.33.82:8080
70.114.194.228:80
70.177.115.200:20
70.50.87.59:8443
71.183.45.61:80
72.137.188.42:8080
72.47.248.48:8080
73.115.132.124:80
74.59.106.11:8080
92.48.118.27:8080

Spam/Stealer C2s


104.236.185.25:8080
187.134.63.166:8080
189.180.186.235:8080
189.244.82.217:143
212.112.113.235:80
24.191.37.42:443
50.116.63.9:7080
73.185.42.52:8080
75.166.252.40:80

Current Epoch 1 RSA Public Key


MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAL9KRKWqcld40xbUZ6hRh+fPNkgJe7K+ 0y1rR0UFqc2SBmnyoR/2Ctd+8MRvU8zri2eNVkVBxCUH1Cthf3AEgRqY2kGva8gJ Wcqls3j7RztZzqFoL+wM9DNnz/OWuiyPAQIDAQAB

Epoch 2 C2s


107.10.49.252:80
108.16.93.238:443
110.36.217.66:53
133.242.164.31:7080
138.201.140.110:8080
147.135.210.39:8080
153.121.36.202:7080
167.114.210.191:8080
172.98.243.40:80
173.167.83.97:8080
173.21.116.239:80
173.255.196.209:8080
173.255.250.241:443
178.62.37.188:443
189.156.244.117
189.252.59.243:443
190.180.44.175:8443
191.92.83.137:990
201.110.114.161:443
201.137.254.209:465
201.137.255.80:20
201.143.123.254:8080
208.78.100.202:8080
211.115.111.19:443
217.13.106.160:7080
24.151.31.150:465
24.185.185.187:443
24.201.132.122:7080
45.123.3.54:443
45.63.17.206:8080
47.204.55.229:8080
5.230.147.179:8080
50.31.0.160:8080
54.36.119.105:443
62.75.187.192:8080
62.75.191.231:8080
64.17.83.46:80
64.228.72.40:7080
66.193.130.13:80
67.205.149.117:443
69.198.17.7:8080
72.214.54.39:443
75.132.60.192:80
75.91.3.133:443
75.99.239.150:995
83.222.124.62:8080
87.106.210.123:80
94.76.200.114:8080


Epoch 2 - Spam/Stealer C2s


183.82.123.254:80
198.58.114.91:4143
213.136.86.219:7080
37.209.252.79:80
64.228.72.40:8090
67.202.178.142:443
78.149.210.211:22

Current Epoch 2 RSA Public Key


MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMPLgcO0RQdJg/LTgiku57nH4KcLwHCx S0lbynOUhHhKjTnmENrMA2idUbK6hI0JRZtii9oJSlb3e5NZiCK+Qr/NB2u7ZNRc hG87aibm0ndS9xKDRXcmWwaQkF0PFuOHpwIDAQAB

Credits and Notes Section

Updated 7/13/18
WARNING - Some links may have been taken down shortly after I reported them to URLHaus.ch because they rock and report everything to ISPs as it
is confirmed to be malware. Additionally, this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
https://pastebin.com/u/jroosen
 
NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
I am providing them for your benefit in case you want to parse them to be sure.

What is Epoch 1 and Epoch 2?

 
What is Epoch 1 and Epoch 2? (updated 01/29/2019)It has been awhile since I refreshed this section so I wanted to update it and bring it up to date.

I have been tracking Epoch 1 and Epoch 2 since May of 2018. Epoch 1 and 2 are two botnets with distinct C2 infrastructures with separate RSA keys for
communications. Epoch 2 is currently the larger of the two botnets and I think it is the main push of Emotet. Epoch 2 WAS a smaller more rapidly changing
version of Emotet at one point in May/June of 2018. Now Epoch 1 seems to be the smaller of the two since this time period. Despite having unique unshared
C2 infrastructures, these two botnets have been seen to move bots from one to the other and show similar behavoirs seemingly controlled by a single
entity/group. Here are some observations I have noted since I have been watching these botnets:

- Checking a document download site from Epoch 1 will deliver a document that is different than what is being delivered at the same time on an Epoch 2
document download site. Specifically, Maldocs on Epoch 1 will have a different document creation times and payload quintets than those being delivered
in maldocs on Epoch 2 at any time.
- Document hashes change very 10 minutes on both Epochs while distribution/spamming are active.
- Document download and payload URLs tend to become orphaned as templates are changed out and they age. By 72 hours most are no longer updating.
- On Monday's of every week a new set of document download sites and usually templates to accompany them are generated early on Monday morning/Sunday night.
- Both Epoch's may share a host for binaries or documents but NEVER the same directory. Eg. Epoch 1 may have an EXE in directory host.tld/A and Epoch 2 may
have a document hosted on host.tld/B.
- The RSA keys will change every month or so for C2 communications on each Epoch/Botnet.
- Binaries for Epoch 1 payload sites are different than the binaries for Epoch 2 payload sites.
- Each binary has a hard coded list of C2 sites unique to the Epoch it was derived from.
- C2s are never shared between Epochs/Botnets.
- Both Epoch 1 and 2 seem to go into "break" periods at the same time for several weeks. During this time binaries are updated every 2-4 hours to 
stay ahead of AV defs.
- Spamming activity seems to cease on each botnet at around 00:00UTC each day. It usually starts back up around 07:00-08:00UTC each day.
- Spamming usually does not occur on weekends and the Emotet team seems to take weekends off.
- The easiest way to tell what botnet a sample is from is to find the payload and then check the C2s/RSA Key.

If I think of anything else to add or if anyone else has any suggestions, I will add them here.

Community Lists


https://pastebin.com/uVA5KzfF - @executemalware


Credits

(OC from @JRoosen and/or combination work of the following)

Doc DL URLs - @James_inthe_box, @unixronin, @abuse_ch, @JayTHL @dms1899, @avman1995, @pancak3lullz, @pollo290987, @malware_traffic, @0xtadavie,
@Bitterman59, @devnullnoop, @Bauldini, @baberpervez2, @executemalware, @leunammejii, @jcarndt, @gorimpthon, @Racco42, @papa_anniekey, @Jan0fficial
@shotgunner101, @HerbieZimmerman, @Outkast_TI

C2 info/RSA Keys - @unixronin, @CapeSandbox, @sysopfb, @pollo290987, @MalwareTechBlog, @ps66uk, @JayTHL, @malware_traffic, @0xtadavie, @devnullnoop,
@gorimpthon, @Racco42, @Jan0fficial

Payloads - @bigmacjpg, @decalage2, @James_inthe_box, @MalwareTechBlog, @ps66uk, @dms1899, @avman1995, @unixronin, @pancak3lullz, @pollo290987,
@malware_traffic, @JayTHL, @Bitterman59, @devnullnoop, @executemalware, @Bauldini, @jcarndt, @gorimpthon, @Racco42, @papa_anniekey, @Jan0fficial,
@OguzhanTopgul, @HerbieZimmerman

Spam Templates - @0xtadavie, @SaurabhSha15, @devnullnoop, @raashidbhatt 

Special thanks to @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and helping out with this!

Very special thanks to @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project https://github.com/decalage2/ViperMonkey , 
@digitalocean, @mploessel, @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch
and @Virustotal for providing services/software no charge to this cause!

Daily Log


Today was a very odd day in Emotet land. I did receive over 100+ malspams today but they were basically all attachments. The morning was quiet for
me and we noted that the E2 botnet was not doing much of anything until after 1300UTC. The E1 botnet was spamming mostly attachments all day and 
this shows in the URL count for today. E2 was spamming some PDFs and they had URI links embedded like normal. The URLs in E2 have changed to an
odd format that seem have final directory of the following regex: \/([a-z0-9\-]{14,})\.view\/


For me the malspam started at about 11:50 EST and was more Invoice crap with mostly familiar generic templates. Subjects included these familiar
annoyances:

February Invoice INV-Z681522 from Vendor Spoof
Invoice No - X88510
Invoice number E423999
OVERDUE INVOICE
Re: Your recent invoice request for your account
Reminder: Your invoice from Spoofed Full Name - item # 4637226
Sales Invoice Account
Sales Invoice 1-W0397 from Spoofed Full Name
SERVICE INVOICE
Spoofed Full Name Invoice Ready To View
Spoofed Full Name - Invoice No. 038679
Spoofed Full Name report: Complete invoice O748590 - February 27 2019
Spoofed Full Name Recordatorio de pago

Most of the email was received from 13:50 to 15:00 EST and I saw nothing more after 15:45 EST.


Interestingly, E2 started to spam some UPS Package type templates towards the end of the day. Pictures attached to report.
They still have not learned that Tracking for UPS does not start with anything other than 1Z usually and other random letters/numbers
are an easy block. The valid formats are the following:

1Z9999999999999999
999999999999
T9999999999
999999999

From https://www.ups.com/us/en/tracking/help/tracking/tnh.page

The docs went back to DOCX formats for both epochs and E2 remained 1 single quintet of payloads all day. E1 had 2 quintets of 
DOCX payloads and then went back to 1 final quintet in the DOC format. 

E1 C2s changed and combos decreased from 47 combos to 45. - Recorded above.
E2 C2s changed and combos decreased from 52 combos to 48. - Recorded above.

I am starting to run out of time to do this as I do have a dayjob and have stuff to do. This is why I made the poll up here:
https://twitter.com/Cryptolaemus1/status/1100282263416258560
If you have time vote on it and/or comment.

Till Tomorrow. I am sure they will come back strong after a weak day like today.

Sandbox 02/27/19

(all with fakenet and MITM unless spam/secondary infection)


Epoch 1 C2 run on 2019-02-28 at 05:15 UTC - https://app.any.run/tasks/f506eb34-2f23-4ae4-91b1-00933d52c277


Epoch 2 C2 run on 2019-02-28 at 05:30 UTC - https://app.any.run/tasks/e4e991be-0496-4da3-81f3-abb4a21bd4b6