Daily Emotet IoCs and Notes for 04/03/19

Emotet Malware Document links/IOCs for 04/03/19 as of 04/04/19 00:45 EDT

Notes and Credits now at the bottom Follow us on twitter @cryptolaemus1 for more updates.


http://128.199.150.47/for_hide/xelokob/sec.myacc.resourses.net/
http://140.143.20.115/hgnxlto/secure.accs.docs.com/
http://140.143.20.115/hgnxlto/verif.myacc.resourses.biz/
http://142.93.73.189/ufy1dmh/secure.accs.docs.biz/
http://174.138.92.136/wp-content/uploads/sec.accounts.docs.biz/
http://3.0.242.71/wp-content/trust.accounts.docs.net/
http://35.185.96.190/wordpress/secure.myaccount.docs.com/
http://46.105.92.217/wordpress/verif.myaccount.send.com/
http://47.75.114.21:83/wp-includes/secure.accs.resourses.com/
http://54.153.155.14/wp-content/plugins/wp-migrate-db/verif.myaccount.resourses.com/
http://acosalpha.com.br/wp-content/sec.myaccount.docs.biz/
http://adultsikishikayeleri.com/tp9oayq/trust.accounts.resourses.biz/
http://africanmango.info/wp-includes/verif.myacc.resourses.com/
http://akppservis30.ru/l3stwbb/secure.myaccount.docs.com/
http://alcantaraabogados.es/languages/verif.myacc.resourses.com/
http://aldurragroup.com/wp-includes/trust.myaccount.docs.biz/
http://allgraf.cl/external/trust.accs.docs.biz/
http://altaredspaces.org/szo1ygc/sec.accs.docs.biz/
http://altop10.com/wp-includes/trust.accs.docs.biz/
http://am3web.com.br/verif.myacc.resourses.biz/
http://annemeissner.com/wp-includes/sec.myacc.docs.com/
http://applestore.kz/wp-admin/secure.accounts.resourses.biz/
http://aradministracionintegral.com/wp-content/uploads/sec.myacc.docs.biz/
http://aspiringfilms.com/cgi-bin/sec.myacc.docs.biz/
http://aupa.xyz/wp-includes/trust.accounts.resourses.net/
http://bashheal.com/eymakax/secure.accs.docs.biz/
http://berith.nl/wp-content/secure.myacc.send.com/
http://bf2.kreatywnet.pl/owa/sec.myaccount.resourses.biz/
http://binayikimisi.com/wp-includes/secure.accs.docs.biz/
http://bkarakas.ztml.k12.tr/animasyon/trust.myacc.send.biz/
http://bobvr.com/sendinc/verif.accs.resourses.biz/
http://brianmpaul.com/blog/secure.myaccount.send.com/
http://broscheid.de/verif.myaccount.resourses.net/
http://byworks.com/wp-includes/secure.myacc.send.net/
http://cargacontrol.com.co/doc/secure.myacc.docs.net/
http://chemicalvalues.com/styleso/trust.myaccount.resourses.net/
http://chemicalvalues.com/styleso/verif.accounts.send.net/
http://comunikapublicidade.com.br/sitemaps/trust.myacc.resourses.biz/
http://content24.pl/wp-snapshots/secure.accounts.docs.com/
http://cotacaobr.com.br/application/sec.myacc.docs.com/
http://creativaperu.com/phpqrcode/cache/secure.accs.resourses.biz/
http://cruelacid.com/stats/secure.accs.send.biz/
http://ctm-catalogo.it/cgi-bin/secure.accounts.resourses.net/
http://cupartner.pl/izabela.gil/secure.accs.send.net/
http://cyborginformatica.com.ar/_notes/secure.accounts.docs.net/
http://datatechis.com/dis4/sec.accounts.docs.net/
http://debuitenkeukentimmerman.nl/wp-content/secure.myaccount.docs.com/
http://devpro.ro/misc/trust.accs.resourses.biz/
http://diaocngaynay.vn/diaocngaynay/secure.myaccount.send.net/
http://distorted-freak.nl/html/trust.myaccount.send.biz/
http://divyapatnaik.xyz/wp-admin/trust.accounts.send.com/
http://dracos.fr/Scripts/secure.myaccount.send.com/
http://egobe.com/ahmad/secure.myacc.docs.com/
http://eiamheng.com/aspnet_client/verif.accounts.docs.net/
http://elko.ge/elkt/wp-content/uploads/verif.accs.send.com/
http://erica.id.au/scripts_index/verif.accounts.send.biz/
http://especializacaosexologia.com.br/3hzmuew/sec.myaccount.docs.com/
http://fishingcan.com/wp-admin/verif.accs.docs.biz/
http://fueledutv.com/wp-content/secure.accs.send.net/
http://futuregraphics.com.ar/trust.myacc.docs.net/
http://gabbargarage.com/lakw7z7/secure.myaccount.resourses.com/
http://g-and-f.co.jp/photobox15/sec.accs.resourses.biz/
http://ghostdesigners.com.br/bin/verif.myaccount.resourses.net/
http://gkpaarl.org.za/language/secure.myacc.send.biz/
http://glampig.com/wp-includes/secure.myaccount.resourses.com/
http://gocreatestudio.com/ntc/trust.myaccount.docs.com/
http://golfer.de/advertpro/secure.myaccount.send.com/
http://gpsbr.net/img/sec.accounts.send.com/
http://hanbags.co.id/layouts/secure.myacc.send.net/
http://healthwiseonline.com.au/wp-admin/secure.accs.send.biz/
http://hirosys.biz/wp-content/secure.accounts.send.com/
http://hoalanthuyanh.com/wp-admin/secure.myaccount.send.com/
http://iais.ac.id/wp-content/trust.myaccount.send.net/
http://icodriver.com/wp-includes/sec.myaccount.docs.biz/
http://jenthornton.co.uk/wp-includes/sec.accounts.send.com/
http://jotaefe.cl/js/trust.myacc.resourses.com/
http://karakhan.eu/wordpress/trust.accs.resourses.com/
http://li-jones.co.uk/css/secure.myacc.docs.net/
http://lswssoftware.co.uk/Accounts/secure.accounts.docs.net/trust.myaccount.resourses.biz/
http://media-crew.net/bao/verif.myacc.docs.com/
http://mmtt.co.nz/wp-includes/sec.accounts.docs.net/
http://mouaysha.com/cgi-bin/verif.myaccount.resourses.com/
http://myphamsachnhatban.vn/wp-snapshots/trust.accs.send.biz/
http://namellus.com/wp-admin/trust.accounts.send.com/
http://newbizop.net/assets/trust.myacc.docs.com/
http://newsmafia.in/fj2xlpr/sec.myaccount.send.com/
http://newvirtual360.com/wp-includes/I2Y4/
http://nexusinfor.com/img/sec.accounts.docs.net/
http://nhatrangtropicana.com/wp-content/sec.accs.resourses.com/
http://nirhas.org/cgi-bin/sec.myaccount.docs.net/
http://noithattunglam.com/wp-admin/sec.accs.resourses.net/
http://obelsvej.dk/forum/sec.myacc.docs.com/
http://pathwaymbs.com/wp-includes/sec.accs.send.biz/
http://pennasliotar.com/wp-content/secure.accounts.send.biz/
http://pepper.builders/wp-content/secure.accounts.docs.biz/
http://pickleballhotspot.com/wp-admin/verif.myaccount.docs.net/
http://plugnstage.com/logo/secure.accounts.send.net/
http://potterspots.com/cgi-bin/sec.myacc.docs.biz/
http://readnow.ml/wp-includes/trust.accs.docs.com/
http://revistadaybynight.com.br/sac/trust.accs.resourses.com/
http://sandovalgraphics.com/webalizer/sec.myacc.docs.com/
http://shahedrahman.com/Backup/trust.accs.send.biz/
http://spiritwarriormama.com/mwx/secure.myacc.send.com/
http://sriretail.com/api.Asia/verif.accs.send.biz/
http://stegwee.eu/aanbieding/secure.accounts.docs.net/
http://streamsfilms.com/wp-content/secure.accounts.send.biz/
http://studiopryzmat.pl/cgi-bin/trust.myaccount.docs.com/
http://taxiinspector.com.au/poker-platform.com/trust.myaccount.resourses.biz/
http://teamincbenefits.com/wp-content/sec.accounts.docs.com/
http://tengu.cf/wp-includes/secure.accs.docs.biz/
http://terminalsystems.eu/css/verif.accounts.docs.com/
http://thepropertystore.co.nz/cgi-bin/sec.myaccount.resourses.biz/
http://thinking.co.th/styles/verif.myacc.send.com/
http://tomiauto.com/sec.myaccount.resourses.com/secure.myacc.resourses.net/
http://tongdaigroup.com/bill/sec.myacc.resourses.biz/
http://tristanrineer.com/sec.accs.docs.biz/verif.myaccount.docs.net/
http://tsk-winery.com/wp-includes/trust.myacc.send.net/
http://urbaniak.waw.pl/wp-includes/trust.accounts.resourses.com/
http://valentindiehl.de/writers/sec.accounts.send.com/
http://vanspronsen.com/test/trust.accs.docs.net/
http://vcube-vvp.com/cgi-bin/sec.myaccount.send.biz/
http://viproducciones.com/yt-assets/sec.accs.resourses.com/
http://wajeehshafiq.com/wp-admin/secure.myaccount.resourses.net/
http://wellness3390.site/tangerinebanking/verif.accounts.docs.biz/
http://worldclasstrans.com/doc/sec.myacc.docs.biz/
http://www.arse.co.uk/yeti12/trust.myacc.send.biz/
http://www.especializacaosexologia.com.br/3hzmuew/sec.myaccount.docs.com/
http://www.fueledutv.com/wp-content/secure.accs.send.net/
http://www.gifftekstil.com/wp-admin/verif.myaccount.docs.biz/
http://www.janelanyon.com/flpuekj/secure.myaccount.resourses.com/
http://www.madonnaball.com/wp-content/secure.accounts.docs.biz/
http://www.promo-snap.com/wp-content/sec.myacc.send.com/
http://www.sriretail.com/api.Asia/verif.accs.send.biz/
http://www.urcmyk.com/eeg/trust.accs.resourses.biz/
http://www.web-feel.fr/wp-content/sec.myacc.docs.net/
http://xn--dammkrret-z2a.se/wp-admin/trust.accounts.resourses.biz/
https://abi.com.vn/BaoMat/verif.accs.resourses.net/
https://altop10.com/wp-includes/trust.accs.docs.biz/
https://animes.tech/wp-admin/trust.accs.docs.biz/
https://bashheal.com/eymakax/secure.accs.docs.biz/
https://bashheal.com/eymakax/secure.accs.docs.biz/%20/
https://bhpsiliwangi.web.id/wp-includes/verif.accs.docs.net/
https://bitmyjob.gr/dev/sec.accs.docs.net/
https://celumania.cl/gigf64c/sec.accs.resourses.biz/
https://datagambar.club/xerox/secure.accs.resourses.net/
https://debuitenkeukentimmerman.nl/wp-content/secure.myaccount.docs.com/
https://flagpoles.viacreative.co/wp-includes/verif.myaccount.docs.biz/
https://gadgetglob.com/wp-content/secure.myacc.send.com/
https://gid58.ru/cgi-bin/trust.accounts.docs.net/
https://legalservicesplc.org/qinvf6a/secure.myaccount.send.com/
https://mmtt.co.nz/wp-includes/sec.accounts.docs.net/
https://multilingualconnections.com/wp-includes/secure.accounts.send.com/
https://pickupav.site/wp-admin/secure.accounts.resourses.biz/
https://raisedrightman.com/wp-includes/secure.accs.docs.biz/
https://streamsfilms.com/wp-content/secure.accounts.send.biz/
https://teamincbenefits.com/wp-content/sec.accounts.docs.com/
https://tripaxi.com/All/secure.myacc.send.biz/
https://visualhosting.net/bk/trust.myacc.send.net/
https://www.fueledutv.com/wp-content/secure.accs.send.net/
https://www.madonnaball.com/wp-content/secure.accounts.docs.biz/
https://www.netimoveis.me/wp-content/sec.accs.send.biz/
https://www.promo-snap.com/wp-content/sec.myacc.send.com/


http://118.24.109.236/wp-includes/trust.myacc.resourses.net/
http://12pm.strannayaskazka.ru/wp-content/verif.myacc.send.com/
http://140.143.240.91/yfwta7q/verif.accs.resourses.biz/
http://159.203.169.147/yhpbh7i/secure.accounts.docs.com/
http://167.99.186.121/fwcly2f/trust.accounts.send.net/
http://1sbs.unb.br/phpmyadmin/sec.myaccount.docs.biz/
http://211.238.147.196/@eaDir/secure.myacc.send.net/
http://47.91.44.77:8889/wp-includes/secure.myacc.docs.com/
http://94.191.48.164/hf9tasw/trust.myaccount.resourses.net/trust.myaccount.resourses.net/
http://94.191.48.164/hf9tasw/trust.myaccount.resourses.net/trust.myaccount.resourses.net/trust.myaccount.resourses.net/
http://94.191.48.164/hf9tasw/trust.myaccount.resourses.net/trustmyaccount.resourses.net/trust.myaccount.resourses.net/
http://acteon.com.ar/awstatsicons/trust.myaccount.docs.net/
http://agrodeli.cl/cgi-bin/sec.accs.resourses.net/
http://armourplumbing.com/wp-snapshots/sec.accs.docs.com/
http://banglanews24x7.com/wp-includes/trust.accs.send.net/
http://beflaire.eazy.sk/wp-includes/sec.myacc.docs.net/
http://belanja-berkah.xyz/xwc1zez/sec.myaccount.docs.net/
http://bf2.kreatywnet.pl/owa/trust.accounts.send.com/
http://bitefood.in/wp-content/trust.myacc.send.biz/
http://blog.aproe.cl/wp-includes/trust.accounts.send.biz/
http://blog.easyparcel.co.id/wp-includes/sec.myaccount.resourses.net/
http://bloodybits.com/edwinjefferson.com/secure.myacc.docs.net/
http://bloombrainz.com/thridhani.com/trust.accs.docs.com/
http://bluecrestpress.com/cgi-bin/trust.myaccount.docs.biz/
http://buitre.tv/adqss/trust.accounts.docs.biz/
http://campustunisie.info/96132500/secure.myaccount.send.net/
http://canalgeo.com/7rxiaf3/sec.accounts.send.com/
http://catamountcenter.org/cgi-bin/verif.accs.send.net/
http://cbmagency.com/wp-content/sec.myacc.docs.biz/
http://cdlingju.com/calendar/trust.accounts.send.com/
http://chigusa-yukiko.com/blog/sec.myaccount.send.com/
http://connectingdotsllc.com/wp-content/trust.myacc.docs.net/
http://coozca.com.ve/templates/verif.myaccount.docs.net/
http://craftsvina.com/testgmail/sec.accounts.send.net/
http://creaception.com/insta/sec.myaccount.docs.biz/
http://dailynuochoacharme.com/wp-admin/secure.myacc.send.biz/
http://demu.hu/wp-content/verif.myaccount.docs.net/
http://dev.smartshopmanager.com/wp-content/verif.accounts.resourses.biz/
http://development2.8scope.com/hkl9pc0/trust.myacc.send.biz/
http://dirtyrascalstheatre.com/cgi-bin/verif.myacc.docs.biz/
http://distrania.com/discart1/sec.accounts.send.biz/
http://drszamitogep.hu/_BACKUP-20190208-HACKED/secure.accs.docs.biz/
http://dzyne.net/jzahb-pnzc6s-oydtsbquq/trust.accs.docs.net/
http://ecube.com.mx/css/verif.accs.resourses.net/
http://electrolux.com.vn/wp-content/trust.accounts.send.net/
http://emirates-tradingcc.com/wp-content/secure.myaccount.send.net/
http://escapadesgroup.com.au/cgi-bin/secure.accs.resourses.net/
http://everandoak.com/css/trust.accs.send.biz/
http://f2concept.com/App_Data/trust.myacc.docs.net/
http://factory.gifts/wp-includes/verif.myacc.docs.com/
http://fashionblogandpromo.club/wp-includes/secure.myaccount.send.net/
http://feryalalbastaki.com/kukuvno/trust.myacc.docs.biz/
http://firma-finance.com/wp-admin/sec.accs.resourses.com/
http://fruitstip.com/wp-admin/secure.myacc.docs.biz/
http://fullstature.com/mid/sec.accounts.resourses.net/
http://gamemechanics.com/dbtest/verif.myaccount.docs.com/
http://globalpassionentertainment.com/wp-content/trust.myacc.send.net/
http://gnimelf.net/CMS/sec.accs.resourses.net/
http://goldshoreoutsourcing.com/zi1lwr3/verif.accs.send.com/
http://gosmi.net/download/verif.accs.send.net/
http://grinius.lt/ru/secure.accounts.resourses.com/
http://gsportsgroup.co.kr/wp-admin/secure.accs.docs.biz/
http://guiadecardapios.com/pointdoacai/verif.accounts.send.com/
http://guiullucia.com/$Recycle.Bin/verif.myaccount.docs.net/
http://hahawaii.org/wp-admin/verif.accounts.resourses.com/
http://hanict.org.vn/nbproject/sec.myaccount.docs.com/
http://harrisnewtech.ir/wp-content/trust.myaccount.resourses.biz/
http://heylisten.co.uk/images/sec.accounts.docs.biz/
http://hfhs.ch/bildungswissenschaftnet/trust.accs.resourses.net/
http://highvoltageextracts.ca/wp-includes/trust.accs.resourses.biz/
http://husainrahim.com/v1/verif.myaccount.resourses.net/
http://informapp.in/xvyf69e/trust.accs.docs.net/
http://ione.sk/isotope/secure.accounts.docs.net/
http://isn.hk/cgi-bin/secure.accs.resourses.biz/
http://jaspinformatica.com/boxcloud/sec.myaccount.resourses.com/
http://jkncrew.com/trust.myaccount.docs.biz/
http://joyfulparenting.co.in/wp-content/sec.myaccount.docs.com/
http://jpmtech.com/css/trust.myaccount.docs.com/
http://jthlzphth.ga/wp-content/secure.accounts.resourses.net/
http://kakoon.co.il/wp-includes/secure.accounts.resourses.biz/
http://kamgoko.xyz/chatapi/trust.accounts.resourses.net/
http://kevs.in/wp-content/uploads/trust.myacc.docs.com/
http://korpushn.com/wp-content/sec.accounts.docs.com/
http://kylegorman.com/wp-content/trust.accounts.resourses.biz/
http://lemondropmoon.com/wp-includes/gzOJp-MX5fHAHnT7hHzB_hleUEIPiS-Oi/
http://lesgarconsdugazon.com/1p8tost/secure.myacc.resourses.net/
http://lotusttrade.com/App_Data/sendinc/secure.accounts.send.net/
http://m4rv.nl/cgi-bin/sec.myaccount.resourses.com/
http://macademel.com.br/wp-admin/secure.myacc.docs.biz/
http://matsyafedserver.in/cgi-bin/secure.myaccount.docs.biz/
http://miknatis-online.com/wp-admin/secure.accs.resourses.biz/
http://mline-sa.com/toba/verif.myaccount.docs.biz/
http://monfoodland.mn/wp-admin/trust.myacc.send.net/
http://neucence.in/cgi-bin/trust.accounts.docs.net/
http://newsspe.com/fvefbd/trust.accounts.send.com/
http://nhatkylamme.net/wp-admin/trust.myacc.docs.biz/
http://nitech.mu/Scripts/SrXa-6oCLaoRlYTuXP6_LDMltGAo-Ol/
http://ocean-web.biz/pana/LXPFg-dIKXL81xQIqKu4_stKSmukXv-03/
http://omegaconsultoriacontabil.com.br/site/qbDS-K5BqC6ZvX91h3E_ScDwZcnMP-Oo/
http://orquestajoaquinylosbandidos.com/wp-admin/verif.accounts.docs.net/
http://petr.servisujem.sk/81.89.61.188/verif.accounts.resourses.com/
http://pilota14.com/cgi-bin/secure.accounts.docs.net/
http://plugnstage.com/logo/sec.accs.send.com/
http://positiv-rh.com/67bvckg/verif.accs.resourses.biz/
http://puntoprecisoapp.com/ypb/secure.myacc.docs.com/
http://ragnar.net/cgi-bin/sec.accounts.resourses.biz/
http://rcadiabd.com/wp-includes/trust.accs.send.net/
http://realmist.com/wp-content/verif.myacc.docs.biz/
http://recepsahin.net/assets/sWvFY-rHu2tCzXSobVQd6_KSyyKRrx-MPP/
http://redtv.top/wp-content/trust.myaccount.docs.net/
http://repuestoscall.cl/fw2s-4yu61-vjpadj/ioGEe-BF5Nhm4KPby3Sc_MaBlGBMs-a4a/
http://robertoperezgayo.com/1vzp53p/secure.accs.docs.net/
http://siteplaceholder.com/mozzocofee/sec.accounts.resourses.net/
http://slcasesoriasyconsultorias.co/l0o54ka/trust.accs.resourses.biz/
http://slcasesoriasyconsultorias.co/l0o54ka/trust.accs.resoursesbiz/
http://spscdhaka.edu.bd/zuhiejj/secure.accs.send.com/
http://suckhoexanhdep.com/sam-yen.com/trust.myaccount.docs.net/
http://tanpaobat.com/cgi-bin/verif.myacc.docs.biz/
http://tempahsticker.com/tuowxsc/sec.myaccount.resourses.com/
http://theadszone.com/wp-includes/sec.accounts.send.net/
http://thebarnwoodinn.com/jopvis435/trust.myacc.send.net/
http://thelivefreeproject.org/wp-includes/verif.myaccount.docs.biz/
http://thetransformedaddict.com/wp-includes/verif.myacc.docs.com/
http://toorbrothers.com/wf5mdgp/verif.myaccount.resourses.com/
http://tridiumcosmeticos.com.br/class.hed/verif.myacc.docs.net/
http://ulco.tv/1v7wu20/secure.myaccount.send.com/
http://umutsokagi.com.tr/cgi-bin/secure.accounts.resourses.net/
http://uzeyirpeygamber.com/wp-admin/sec.myaccount.send.biz/
http://vandiemansnyc.pixdal.com/ymx/trust.myaccount.resourses.com/
http://vistadentoskin.com/wp-includes/trust.myaccount.resourses.net/
http://vpacheco.eu/xzds8sq/verif.accs.resourses.biz/
http://www.567-365.com/wp-admin/wSArJ-w8i45n4LFUCJ7N0_LSsiovdS-6t/
http://www.aipatoilandgas.com/cellnote5/secure.accs.resourses.biz/
http://www.arielluxhair.com/hobzl9h/secure.accounts.send.biz/
http://www.arkworkspace.com/wp-includes/secure.myacc.docs.biz/
http://www.courchevel-chalet.ovh/fbmyql7/secure.accounts.resourses.com/
http://www.dmgh.ir/wp-admin/verif.myacc.docs.com/
http://www.factory.gifts/wp-includes/verif.myacc.docs.com/
http://www.greenwichwindowcleaners.com/Old/secure.accounts.resourses.com/
http://www.hahawaii.org/wp-admin/verif.accounts.resourses.com/
http://www.health-regulations.xyz/cgi-bin/trust.myaccount.send.com/
http://www.herflyingpassport.com/wp-admin/trust.myaccount.docs.net/
http://www.johnspowerwashing.com/wp-admin/trust.myaccount.resourses.net/
http://www.lecombava.com/Surlenet/sec.myacc.send.com/
http://www.lescoccinelles.org/Photos2016/trust.accs.resourses.com/
http://www.monfoodland.mn/wp-admin/trust.myacc.send.net/
http://www.muchdesign.com/test/secure.accounts.docs.com/
http://www.orangeblushsalon.com/cgi-bin/verif.accounts.docs.biz/
http://www.recipetoday.xyz/wp-includes/secure.accounts.resourses.net/
http://www.recipetoday.xyz/wp-includes/secure.accounts.resoursesnet/
http://www.sh-lanhuo.cn/mobile/trust.accs.send.com/
http://www.sicoprd.com/wp-includes/sec.accounts.docs.com/
http://www.sonmoicaocap.vn/tdq5mpz/sec.myacc.resourses.biz/
http://www.sz-lansing.com/wp-includes/trust.myacc.send.com/
http://www.thecoastaltimes.media/wp-admin/verif.myaccount.send.biz/
http://www.tripsignals.com/cgi-bin/trust.myacc.send.com/
http://www.vdaservices.co.in/wp-includes/verif.myacc.resourses.com/
http://www.wanqicharger.com/rrcw66s/verif.myaccount.resourses.net/
http://www.willdep.com/QLCRM/trust.myacc.resourses.biz/
http://www.wiseniches.com/yoga/secure.accounts.resourses.com/
http://www.zkeke.xyz/wp-admin/aOzsV-3QxApNIzgGJtbi_fVDxbvWZy-u1/
http://zeynet.kz/cgi-bin/BfCG-7Mx3C2cOvcXzz8_vaAOsVFQJ-nx/
http://zooril.com:443/wp-includes/verif.accs.send.biz/
https://agrodeli.cl/cgi-bin/sec.accs.resourses.net/
https://banglanews24x7.com/wp-includes/trust.accs.send.net/
https://dr-recella-global.com/wp-admin/sec.accounts.docs.biz/
https://escapadesgroup.com.au/cgi-bin/secure.accs.resourses.net/
https://fashionblogandpromo.club/wp-includes/secure.myaccount.send.net/
https://gilsanbus.com/wp-includes/sec.myaccount.send.net/
https://globalpassionentertainment.com/wp-content/trust.myacc.send.net/
https://gulungdinamo.com/wp-admin/trust.myacc.resourses.biz/
https://informapp.in/xvyf69e/trust.accs.docs.net/
https://iqbaldbn.me/wp/Tobk-7yX2IL6yQVBpQQ4_HqPclVLT-ZHo/
https://kaylie.awesomenosity.com/wp-includes/sec.accounts.docs.net/
https://kemeri.it/wp-includes/verif.myaccount.send.com/
https://kovar.sbdev.io/xhol/verif.myacc.resourses.net/
https://ltv.laneterralever.com/lsf/sec.myaccount.send.net/
https://musicianabrsm.com/8uhpkl5/verif.accounts.docs.com/
https://needlelogy.com/e-access-idp-elogin-att.com/secure.myacc.send.net/
https://scontoidea.it/0ispapa/trust.accounts.resourses.biz/
https://sovintage.vn/wp-admin/sec.accs.docs.biz/
https://sundarbonit.com/cgi-bin/secure.accounts.send.com/
https://tempahsticker.com/tuowxsc/sec.myaccount.resourses.com/
https://vistadentoskin.com/wp-includes/trust.myaccount.resourses.net/
https://www.arielluxhair.com/hobzl9h/secure.accounts.send.biz/
https://www.hive.world/wp-admin/secure.accs.send.biz/
https://www.sonmoicaocap.vn/tdq5mpz/sec.myacc.resourses.biz/
https://xetaimt.com/ooecgp9/sec.myaccount.resourses.net/
https://yidemy.com/wp-admin/secure.myacc.resourses.biz/
https://zooril.com/wp-includes/verif.accs.send.biz/

Epoch 1 Payloads by Document SHA256 - All Times UTC


Creation Time	2019-04-03 21:02:00	(DOC Based - ENG - Upgrade Blue Box)
SHA256:
506463901ec3d2b35c46d3440da8d3e1f87a42abf077bbd9b1b95a18225c8f71
da7ea362dcfaa616cf2a12ecb73daa9f6087f5a135a0ac13a2d5119a86d780e2
50f394e9b9ca8ab7439bc459b21ef08a5c3654ca49b459d113b10e05785dddc5
f47cf466eea61b2d0283056f22060a4646012146f6b29a5c76cdb67df36cfcad
7bf4a8381c111375255df214d14d009db98caa63201a82637d1a32c352681b09
91afcbd38278ce562d89502a7e3e2daa8c90bf13ff2d490ee70bac8f24233bd5
5abbce43733a9d23195776eae8ec8a27233ed72ebf8bcda12a384b38053e585e
3b27c9a4b443660f21426d9a1430a068c210f6fc757ba017f0db5143f7239dcb
9ff4c1dd44b1b9325305b092d494a3ae2ea0382b039aeb3d9ef12da894212556
23066135096bd5c5ad5e2cd13981b2091379c2df73679b465a108eb92c99cffc
38edd270739223f96a36cc1d218b873758b1ad41f9f528e753aa79acd64fdff6
62f22bcc833a5cbc03ab078a2f67c782087f2fec344502b8b4261218fc898ace
f1b1dbb226dec92d179a1e42170a630f04adcb82c199437a5172a41a86ee7e62
5fe724058139a4f7805c6887d489e15b0800f6b64d676a88531deee736457aa5
02a856b38e7c32e7387f663af577ca0e854e1f2d8d8363697a7b9ce410b3a0ba
0cd2dc09ea71e8051659ed0499960124d9fd6a0ec00699d74b0b94acf30a08b8
1232e66429c4b02677cc0839b9bb8011f3643b53d904641a2c5d14dade5e1f71
db9deefe8f744ebab340c76e7a86ed02660977fcf176bb99d50e672561ff2dfa
8793144bd36b01ff56228ab7714f0b66d8d99c60b009fa5740a21828efd2b38e
c546488c5f0a56ea6063a375ef7ea194df3020e92b724ac5f1bc14e7ea4ed9a5
5c98ef277b22eea991a7d7cf2f1e98213949247e6d451c6c8a7bb4467fe69869
0effc9bcdae3a1f1eb8f1d08f2b01645ffd8874837e2dce3673b0201eb04b840
b83fcebd64496356242238dc45665aa3f96373f3514ec29c72facc5d140edb5d
084cbedb8279ae7de89ec5aad45dac178d988ef2a95ca66c1d4ca01f4e878123
e02539b1a6600b2f408ed5987c9440f63e8508e0a27cfd27c398dc05720974db
fa2ee431e53cc46b3df21d065d45f13009d9be52a92c4bed4d011bf55304eaec
b5f6d5e337fea754bedd12a8eaaf39413cf39a65e406d21406d5606ae8142f2f
b931fc4b2118df5f33d9ccfe4c89555c15a8b53693b0b3728edb8cc1758ffe07
05f0bb601080ba05a5f5023e3c35ee49d4bfe40a09924c4fca3e0ce0c58dc075
c57f69a1a40c66d76e6a858e0077c93fc2f7524e200889a71ddef057918f05b0
66fae3eb56aa085c40dcf7654478c3aad5920549570ea215759f478698e6efe8

http://thaddeusarmstrong.com/wp-content/wRx/
http://122.180.29.167/landx-test/wp-content/aj/
http://47.104.205.183/wp-content/i7J7/
http://fumicolcali.com/wblev-6pox5-vpckk/kWFS/
http://johnstranovsky.com/96t8b-z2ns7-galcijo/wF53m/

Creation Time	2019-04-03 15:14:00	(DOC Based - ENG - Upgrade Blue Box)
NOTE- Sometimes seen in Password Protected .ZIP Attachments.
SHA256:
1c999239e51e20fb29e22a59becec4906330e90532b16af6e69047c8eca06867
4bd17a43b613fe24e1b8ca88a1a6485e83fbf3847667198986cf5e86043d5477
8456e6089978321d8764bee7ec4dd49c2a8b8786244394edf87adbdc91107280
c3ac09babb47f0458f7b17630c65490ad2d5be1ad0817a66d044c1b76b3b3f6e
be3707eecc4a37d4d37be65c2948ae76ab42ab95b86d1152da1fb60356e175df
ac81323cf4c11d699997e5cb3732de8ea83c317949969e31f04d97c5de9f44b4
873d63a58151cd2e779333d915d1a2ec30da9fa119c227348f810708d86fb8c5
de310033fecf3228c2e76b210befe1c10d2f8729fac19e61ad86585ddfe82b7d
c485dd383302126170395cfb4c51bf6267ccad9b4be30895c4a3db772b779bc5
380fe9eb910412fdba4b1f3b5a83fa97626f07a6887842596aa19a37428f50d9
1580933f21c6cb61a4aa95b47caadee439fe2d6b2e9d32a10923ace4bdb2816c
7d5e0a8e30cadcafb859fb240b13d95f08783950d5c85964e3e1b1ddd0882105
ceaa30b33434e66a07eb0d5a30ff478edffebc477d0c34d7d3c66e82e4d0b746
5a25bc771de52fd4b40e90d788194e5b20d465606a2577321b10abba5df93b20
efb37a6a0bb2077d1b5c8f9a3ddc2fa70bf4b2c4e21c98df9ca91d1ae672df66
b8c18a591fb3710afee4cd243489ea16f92e7d9d4fb0f77fe63954062fa816f5
ba19e0b1b55163d610eed2d666e91ce17c1af65618d61c6887436b8da54b0a44
15a4f1d4d1ae8af17b284e71a33668fba2a5aad27179717ddad62285caf1a778
69deb3d64aa30ccc994a8085591131e217bb6455509bc0b63a884175de49fd8f
62a4925ad26d393ce9675a7c8754a2dbcd3bafe2683b38ae9a6e953321a9ea7c
c2ed243b37f6248036cfdbd0dc743fb664fff8dfefb92f81942028ccec1c567e
4af0e6ecbb0b29b5b0a4a4d587459f585c37eb08bd376d6cd91cdffc670f31f9
dea10b78972814eb7c996fb83f7bf9b0749cffaa83c6daac5d7aa12aa690109a
e255b02e13b1ab7691437859d4f2e0d14911eba0e22e3c50cf88f5b417160d76
ec52ac699447c94c3e6f92b9acd2a948b23f558eabc2e59c3b7cb8309fff28f1
6c41174ebd7480a26a4ffdd385495c2effdef203bb32ad9fd10a9d77eee78e59
86c24f31451ef09493682a898f2fae2ec0041920a034201903e60e0108d711c0

https://newvirtual360.com/wp-includes/I2Y4/
http://mealpackage.biz/wp-admin/opSs/
http://www.ecommercesuper.com/mijmbxg/aBibT/
http://rootleadershipstrategies.com/phq2afo/r2Oz/
http://www.eviar.com/databases/jdi/

Creation Time	2019-04-03 06:22:00	(DOC Based - ENG - Upgrade Blue Box)
SHA256:
6b706516aa4a6c84d7288790bd311b5ff46812d716913cdb7e2868b7502eb5f5
f6e05aea9f90a7a944d714ed205231ed0d6b0710b69140ceb6e1955194c586d8
9731cf4485184f19d7b72f44c3a88e41b4e58b4e523eb25946bfe51109d58b4d
72d6fafd2207338c230ed1581d3d8721b50eddf6dd04ca85e427a68c06173759
0d059b3123f0ffefd19b2eda223a17a59544480129c890ecd8f74485822aceb0
ae275125e8892c96f7e1d17ade25c251402ce40c790e67f171e4703823c1e1da
78a1facad713beecbc54297cdb1cb9f0c9b3e0ce5ecfea4552c8542a4a396bc2
2c2e00cf2cf50d1a3a21dbdba070c90d7d45252bd75f90948068eaf4223a3025
dc748e6aad74deeb30fa7650512b69e543894a1a5c514d0099f99ba80dcf343c
2d84259bfdce75522fadba53461db4ada6d2ff955c78b183766f85a3c57bdf6a
94d70d6bf0435c860ec0e1bcd51b7ea28481200015d8a0c5c5aa42e3137f2d7e
1db4178108dab0f9fe0f552966f5568a4107cbee16c0f29bbe3dcbb20da2f08e
ad989c053dd1e789b43d837e07c82207c56ee9fe259afba290f9b093538fab6c
0ee280736c3047439f3a37f0c0dd48ae6d6e17df3c4ef9ec8df736780054da46
66f36a293aba9466fc43e0adc0879a4b5d83a995d4cc909a083ced4c98e00b10
65e5d1a7905a8d0ff3e87c4f981db06513f7e176c62e4ca3868b4603a647a3cc
67f07721254f250f2d9971ab7a3b2c6256ecc8406498f6a7ef820e6699f4d84c
edd9f8e8faf54418abcb5b432df9f056ebb5c1c3b81798538eb6490e54d47f36
0c9deda596cf2dd482a3139e6286dc0615dda6a46c8d2787a2e0ba99bfc0556e
445f31b0dda2cfc01cb1aeb34879e4de651f29f699cf7651239cb43d0e93fd05
39d6fc12d6a286000f198c58384d3cab86c09da21801cc7b7522f17b02e735b1
8d1534344be13b480dd14f4125b72b5f290dc045856140c58b444c7718a409f0
5650d3456d6fa5c68d3601a0756118ece0fccb0ebc00d50b069a22284fabfed9
5976b405bce1b13747925a53afc92532a2610c93bfc1f71058b6f244b40d1bcc
87676338e75300df5039931deb20af98b6317040b883187b0cf04fb01987315c
2ecc2feacfd73e3c56359d3fdad2ff08017c8f3c9b656b5deeca74f770888679
93e226f0affc4e060bb661f825d3ee374ac2412c83b235ddc98ba7681bf0657e
07d66bc331363fcdb92ed85666eed78ed330bfc58e79cfbd73b0b7b6f4ca5cd5
342e00333761d82296da26f90c0fe83358a1c126bcfc3cb570f591e4979147e2
246db40be6fbbbde85fde6dbf283f231995917f1f38f5daaaf659f224ca54971
704f0ed0d0e9b343f4300796f148964ca1d0c2d078efd28b6f36574bd61196e6
5b2b196113f8ffcf5c3ef4a3b0413f2328adff842d659c7b47e74f69e4be254c
571f0bee37af24915566c4587722262f53b2e071e049667896508a2bdf597c76
a8d71ec99cbd978830027d4b96b243f480ba79799e410a55f4445f9bd680cdcf
4d9e9bd80a9b83893a42de4a0b6cd46609e5b9e2bb466bd8ad8ace6a6e754358
ee8dc441596b37f45e1a11fba9247a95cea357dedc6acd0eddf63dbed747c9cf
d400eadda1766c976d0968ce1a7a6452c076ca234767a9485cfa261785b00d27
defe358c93c51af6e6fb177ef5fa9184bb1774d1983177646d5ee66003006fd6
9bcdf8f1ef2d23e421e68ec60b405c4bbaa77b89e0ecb3dc2c58b727a7f51933
16c7269bba293e77681057618f2a44cc22b1259b1e06576230fee8273dfc4d31
db7c710501288a593a11b9d2cce1af5f4089fbf405e73e528c4e823f7600b6bf
f675f1b5d8d2f817401b38a208f1cfdd255fc96854b613703b427170ff3a4d62
59b50f0cf0fa890d212fd4c854c50185a685b92bbc0a3e49cf39f04b63b414e5
e8803cf7423ade3e00804f74bc7c6abf0eb19758628d76e81dc9b6826f988571
9c28d2b54cc9c5542cf08ceb82838e30a4285ab4a927c9e184fc1a6806d8925a

https://hashtaglifestore.com/wp-admin/PilSAE/
http://nedmextrade.com/wp/kgMUT/
http://www.eltexapparel.com/byoxxoh/EukGG/
http://successworth.com/wsu/Nw8V/
http://www.garagedoorsrepairraleigh.com/teefzs9/yLOkO/

Creation Time	2019-04-02 20:54:00	(DOC Based - ENG - Upgrade Blue Box)
SHA256:
6969d147438848f98bf4d55ede9a9e822055edcf9e3366c3420b83d365f0dc74
794c7c25c8801298d45c2e08d711dfae269f9906c2f4dc52d6808eb3a13b9e6f
1bbee951c39bd4fe6c34dda1d615b86564b100c105d334ad7bef9b48c6b3575a
bbe81ad0327f03f35ae1345795c61e2b725e275dadcd84bfca0efbe3fb37a772
9911388a489874cdb1847af9734243bcbd0ccf0d1a0e2f390679ecaae6ab6039
be79c4427d6b7c050ec4a350dfab38238379706dceeb7efdc2dd7c246aa6661d
56d6ca3e8a6d8076e108ffc90c437bdd37ca7d5004f950a18cad4eb5a0a744dd
416e4acce2b50545f884fb326c1fc0e37842a7052f0a5f26ee4c3aca4170eedb
02d820ebbe08fa00979e71fa126fe98ce2227e1155352d02e8e5dcac72d26926
da045e2ac1403f0ee35b92de92d936eab1054754892a51d78c5970edbb206412
9f1d9a160c52ae086aa022d81a79efbc507d2b3eacbe6b7d8266b28d5c9afb18
514048623894671bf9954a3b5c56f5fc9c1f20f3a7cc515b5145e62b916c2313
5151fb7aec67ade6838e6bcdf2b90d8ff349e225c4202534b81129e2d43b9500
6976ad542d5495c4add7acb55a44cf5226f6c4e3336260db188060134ad77a88
982ceb7f898200836f847b10d81ee7faff43d103248981b66effc3e2ddc44d54
aeabcd1504dc47b7801a7cf3e9614423588bbdff581bec8eadba5e3d3dc306ab
da723897bf490193511b89fabd65f2c80a746afd15a92b0a0ce5500d174198c5
fea79dddbbb958f8a6ab5f425fcf90b8391ea2582be757f6f85db049c8833818
d38a5dcf8157badd948c4b633cc3c96be182b1e3966e22768b1c50d9313307f4
8e99ad401099d70ff532f41b98bfd114d7d9fa9b3972402b12fb572e619d9c38
6969d147438848f98bf4d55ede9a9e822055edcf9e3366c3420b83d365f0dc74
9ab00da32f0d6c67849a91f88d3287d4d25012d502e0c5c356276af231b9afe1
9911388a489874cdb1847af9734243bcbd0ccf0d1a0e2f390679ecaae6ab6039
8a91912e2cf6bde4a46ee9f7f66dcd1e025480dc6e474d8040b6f1fcc6fb8272
982ceb7f898200836f847b10d81ee7faff43d103248981b66effc3e2ddc44d54
56d6ca3e8a6d8076e108ffc90c437bdd37ca7d5004f950a18cad4eb5a0a744dd
da723897bf490193511b89fabd65f2c80a746afd15a92b0a0ce5500d174198c5
21cdaab8dd50a13fcc92475cb4950bdc8e41974638d1b664fc927db9152d56ee
134f5027b747b4620b5ff089f50772b7a040e3bfdf2a7a3c1311f1e0d3548916
b04d811c669288b47d71ed7140fa92ec6fedfd828dabeda508e30e6b02373d2c
514048623894671bf9954a3b5c56f5fc9c1f20f3a7cc515b5145e62b916c2313
de161123edb795124fb3c79c800286106da29bbc03fbc8caf21f6a0c411bbeba
1bbee951c39bd4fe6c34dda1d615b86564b100c105d334ad7bef9b48c6b3575a
9f1d9a160c52ae086aa022d81a79efbc507d2b3eacbe6b7d8266b28d5c9afb18
66bd9e4e0fe63329de8bb3fd2eea2695d2639c7f2f8b374092d5d6d60c55e850
be79c4427d6b7c050ec4a350dfab38238379706dceeb7efdc2dd7c246aa6661d
da045e2ac1403f0ee35b92de92d936eab1054754892a51d78c5970edbb206412
71da989508ec611531680c84d36ce583dc8bed2800938af7bd45fb6937982da5
1e360c20dc040640807c1c84c439030d4a27c3e434bbfdf6f5ab5bacfbb6c353
ef9f3787a87bcf2dd72770ab3e397680d41a04398b29b6f505db824d452fb075
2a80e79117ec8b828d768ebccafbf64d4ec2c876d8cfe1bb7a8c07006764e9b8
81a374b16c07ef7a78b1d1b9bbb00548ef1f51ddcbc819f9a5a627f6443a6560
b617f7b321c180d7ebf7dae416c8c95d44c315f2d42665572f538c183ed3af1e
1e1dad9aa4809fa42137bb56cbcd4bd1b290bba4be09d4888b6415cc2cb2ec3a
416e4acce2b50545f884fb326c1fc0e37842a7052f0a5f26ee4c3aca4170eedb
06db63774447c6e612358d5ac55d6528288c6d84f9b840a9d512b7e5f5d19a04
a7c6d747cba49ff0581bd295df4be6ac4f5a2f137e1b9506e16f55ca67b902f8
7a0f9f8f54bfe6335b0dc00a047620829cd328e526686bc0e7d064cfc05312cf
794c7c25c8801298d45c2e08d711dfae269f9906c2f4dc52d6808eb3a13b9e6f
df244f0fe36c8a746c98dd2f565c4eac24a9ddbb0a76a7f4b31f96d844095cdf
afa7a1626e4b444e1f9614544924914f07581e56bb2def0653a3e69895e7d985

https://www.nasabonebolango.com/wp-admin/wRn/
http://ankhop.xyz/wp-includes/IM2e6/
http://woocommerce-19591-66491-179337.cloudwaysapps.com/khabwwo/uWFCi/
http://weightlosspalace.com/hlwk49gos/Oi/
http://reviewtral.com/csgldw6/BbE8V/

SHA256s for Epoch 1 Payload EXEs seen on 04/03/19


a0442947008c37e919ef17c6b043d52a21641117afe7164eac782ddc937760ed
fc69773d67a80f1ebaef6573258a6a0fe25644fb0f44d50a50407b6f85454ad0
4997a3964043bf68c591d9ef999065969072b1c32713613af831be5eb6ff4677
02d3448aa5cb6148be9bf9a6eb5cc97c1b28ed283091101d01d8eeae437a5cda
5451aa6ba692e6691d944d36d1807f521e3613f9703497371be83d063738490e
fa064dc608a2df6a3dda78e053253832afac701c46add2def1674ccd9d3e60fa
d251e89e375f2d1f113c43df9760c45e68327779352ad11bbb967c38cec038d7
fe9de1f3c64515670e8ce339b88112451a02bf8e13787b362a8f044ddbc1d027
42993a2216b39609dc1ed7218ab36535d424affc1fd70147092e16f7b79659e9
4451b10aa03f16391700dd3015dc97920a69c875f55248d41e3abaf73715707f
f06169ddcb7724b496ca0dfe948ba45e61f14bdd682e5e1402cfa9267718efbb
e56ff52200f3b4a323047d1f8209a2b3f1455c28401ec19ced86739f10780451
301ec590a8d59f49fa1f402d677ef57dfc3a57dc3aae40ebd7db43a04ae66762
797c0243d5311b5b780223056873251eafe96d3ebfbf347d1790619fd4356b72
7316e1e5d068569ee8317615082d1a2ee14271bcebe6260c041ba1734576b71c
851e025ba4df9e14ab26cded6865b59f2e9c4d76b8e630cca8f4d1cb511600e1
ead4494fbfd8c9b99611fdfad5d6984dc9d8bdd06c0556acd576bced672004cd
bd7cfb09563b67a0552e98b985771e6071670ed56430a543668bf0009bd69a74
c21cb87127962b2314c67a86946d2e283e7f70a56f91ddfdb87ce61225a3f68b
721cd42b7b12be62e3a01b2004b721a28505d6d41fab06387275dabbc78178e9
ba14880095618b6a47e840459c3c8b3bab5317a0dad528573e11011182ff6b31
9fa7464d70f82e5f78159ba7892b3cf7a721a416a7774a3e676a745d957ec152
ecf8d7efc1d69099130f58d52b45a9dea5f872f5039d1381a12f863d2be0e979
aab78260bd85b387b71fb172e27d0ab70932638ec4dcfcd0c3e0310b23ba458e
ecfde93aa6cde3960dc9c3fc8187f7f81f5c2836c74f02ae511115c74c6a2702
68b083c58c18ebb1e35af03972b922554868ab6cd354be065af2860fb57cc6b5
c6948b5ed190085e21038c49fe8f3a81d5b83e57494f4948b0eee8d909977729
d0c2af31317cfe7841288e516b1f7025cf1ffbd92615725910a0facebff42235
dfdec2e3cf5adb059cca9505fc7b3e2e7296024ae6c0c72f1e634fab8146eb56
bcb8b28707e76c8680c0407f392fe57fd4137688e94e06dfe52923bf82a4cfa3
f34b70d814383afaf13bfaa1159ef60f1044e61b6e56d13ff211fb20e0892eb0
9338dd926e15ee2b0bd871d169dd0bf7426bb610ad75e2417fe7af6a892c0f4c
12fbd8f96a625ef373fe09384985b0a429e7e8b44f5b89766126b9e9c0bc7f7a
19520cbd9671c5b663507bdcd7c95a39a4a5c944968b7c5153d20cbb45b5858f
24013248dd0a023787bb7ae2da235bcb9599cb2152b35501131ddee8bf3993ab
85cd1ad863d293ced65a24b96af4a755819c10e1500ddd94ce449477f9e98194
3a9e31419f787fec1dff6fb54fa73c6d62fc51cac3b8064ad200e78f6bb38bc6
04d7e64478dad44717e1ddd6db0a3c4fd4456441fdf64559d65dcc92c0daa0c0
c8845e958f30f10dbe838d2aa78ad55b80df791f34321801c13da5bfc9d2e07a
7e98be547295b0c566bee7bdab80ee16a3b71ea0e1c371d9d968932535096e8e
cbd984c07fbe97e2a3ad00c5e2d411ca69335049cf7fa550a9b331919a8e8cfa
45226fa8a6c9dbee32036149d3f417053322f5675d4ae456ccf136df5ec00420
6970fe894abc2cc9fc7957f12e5345d8d8ffa08c9f01c6a8f680bbe7f26215ba
1c04c3194707d05887397466eee226b381576e88b716d1dbf77c30556a61abd1
88a47bf9dff053869465ea5ef903350dda9a0350afd6ef734ac10a9240afce94
896acc7e5f5095db63ec1744ca895aed164bb3718f0b7a6df409cc93f3461ab6
c0437c57f0a8456bff7e2ec9ef4d298c4e82540e7d2774b6c4333f8f8327ad0d
9db30255a1dc8430b19195a9af4de4937ac3a6118a3d6589c842627710c842c2
1bd9b7d069fc4a464671800c03a3c41a74395058f7c941db51608bd8a2c68f44
f722ae880dced5b7e3048f02c5121decd5bcf1b74800cff360920d16f1ad4ead
0a45b7034b5fe0e6ce7b5ec92f36343e7694d9342ab3a6beb7a996cbd6e06f47
bb854b1dfc4336dda969ce9fa0c2ae649d487821b6b8d5d0512a4ff7f617dcdd
4495447ebb434423103b2da44c41c3138a491eb0c3e5c68b33cf362c0a54aa49
cea82e88c17ad5889f35a6c60bce74249fcacd1dc5defc7f042d9b6518e201c6
24cd1ff5207e05dd0810ce10d44c38cbcaa259a04ee7c012aa2f5b2f0cd842df
d0f3c0b0833cc1edea22fba1ae2a583aaa11c14a9c56aef1304d2fe0dc4b24e4
e51472d13fed4a2991ef84ea896eceba7537b5e4d4440cb3ee6ff7c9c2c3f9bc
f0eb86df737f3a37b0d3ce7c0c5f0212f59eec6de04fae30f02b727a1d853be2
8dee819f45523d71f2387baa190d641b75e3ac49fedef12611c119467dfdf57f
a7b656f8256ed4644d93af776794432219b1c6ec56b746cb5792a8342ccc2dc2
ba0cd39836f61151ebee70a898597509b71764a3c83fc5664c5c47e8667bb7bc
a049ae66127c2b5706abe3d923c92026b02f6636414369f69f43fcc15d117348
4fb5bec1fa7961b3c74c4d7c228c5d91fff90cf438b11d01e3131a5f881364fd
f8b418f7c56ef6412a56faed83ec8bb3711490b263e5c28372d2166dbb631321
0222a87be75485d667997c3bc3d4350ca0ea86e24d78914ff72a0490650f6fc0
6edc794710d2900be30df3de9a5926319881819ba8b3cd5663b53edb1aec404d
b34c2ffa18666d0380b1f459f3f2614d968b36e5df17ad858a07084a223b97d1
9285f5cde96fa08176e4814c9be074ce89ef7ab79e0633b64c26fdd6d4479ed8
64e5eb9f7cfed750fa598ce933c743dc6ac3785d6450778d284a3ea0bda81a75
38be257f3f4f656ec75060a7a270816d083524f96007a72dcdec2f899defdc12
6fbfa3c6d1af897d66a6e7f5f8d487e82365df0cf6094590c1ee4fd78ee97d75
e6151377d0336b6d10c28aacea6ef495601d8b870b52d7e207241226ebb557b7
4cc2f2adf523fc40dc79e0b2d83fa7a2e1f524d17a23e6f22f15ba4f9601ab0a
e5ae3b49403bf2b0d8c47e259aa790bff5ba4406e6c5e1754f8c611026f81d92
f571399023046c1ab127c412913332703f81bb73848c7e401119ba741880d134
4eb77693ad2c8a17c06c0cdf821c582888f51510bf96124b49d427aaaaa851a6
b148594c97fd253a735a190ac2a84e3995eeee8a13afa05b420f1e525e966f3f
4665987ae7db1f9219b2a5692f3b4fa941866f207937a24496922b132b699d84
2614316b42b59f7e43749434e0f664a1dbc5b87130afeb7ef62d656f3daa11ab
c5e446a0fc14a767353203f3821d80b3d9faa7b60eda8f01658d9a87c61b44db
81878364459d5264e223d561de059e494e310add3af7af86bd407a0513662974
e6cc1fb5e987fd603da041686ba27ddad950ef028979c3dddbb8ff6a056c8fe7
0b106f4ab218cbd980c8374942065ffaec14056f368281ddbf794edd498cccb2
1ebc9cab208f03d200460860d63694ba8402d52c913119a9fb73082c08739daf
04d94d830a59bf1108acacc20e5e4839f3286c40aa50667ad73fd03fabe816a4
96420e0a5865ee1db93b1b5b81462ecf56c2633e08da66d2c9af5e64747e92fe
634aa5c547246f14317183f9b40afcb6ef35bda88c81b1aeafa1b0b33ca5c040
261a46f3782d0afb14675257177b13b2d0a0fb71c62b25359ced154026517474
41f1dae0faac77d60b5ea1e20a18d63eb06d3d0084ddada085964d4e3ad7cddb
76d6935689e0c22b1ed42aad198c8f78b95dba8f25da74fe04379a412847839e
e9b30de47dc953f4eafe3ecac124f237de33d79d7d9b0b4aba3b7b02920bf2eb
f46e6c2e68431e2d0c64684d516b0959cad8fb234802fec45370a03baff4a2fe
06f8c6e7b75637429ec52dd2c00e69e151e6cfe381a36e212a3d3771457866da
e6b389802618bf70087fe446929ad34ddd631c626938e79591c2b345ec856ead
dd1b3fdbd1d033ee19dca62bc2de83f2f6ab19e9cca15e2879d00949aa0fa75d
45d0f6fcd35025aabdccd7805e7e4f5d2d23b2d0e09b6a0ce30b518df19c6d66
b963b59c24521a0155305d0d923c7a6e2c6f8ed5100c005e787498b581a5f0fc
6a8eebf7e74fb990214a97e7acf69b10fbf45716527f2eb577fd9859e2adf1b0
003d2ec7263dc56e77669cfa00838b97b2f274a956e3aa853f4720742efccaae
bcfd80b648ba3bde82b7be3325430b638a874095be4b64b48aa1e9cf8c42c7a4
4555d2db90a1197eeb2835193b486b15e2236d2e415af354e509cd3b89816602
9c42692d035656412afbde974c8ac8c72bd3e732ccb9a0c6b0d7d75204fe12eb
2b05ba085d95a36cc6aa87f2aa0e0782570f395901c1ffcba1fe595713499eb4
628761fe75a6fe918354d40a45a913147c2dbe0cd10a9debf64c82fbfc8623a5
0e26720476eb85e283211167c3f5eec37752a65d7bd5ff7c8e9031d90542716c
deaa51345567f67a643d17caee45ebd2c2ad0c48022f383ba82bb54555166e65
aba4df4af24ac8e085e3c8e48962ddaedcb5024e0e82520f03ed74cdc6fc382e
7adcfbfbb59257e278b696228c570658f0483137969c112d6b9109dfa6e06f4e
7582782f660f558c0fddefc5b73d1d7145c25e83f777161333e4cce3dafca0b3
0c2d521ea64404049e823c804af3022835c66a74783a2edb0a81a4643e93dfb8
f9256fa50276b9b4e85b6929aecac1a3502daf717212768e81beb59b906fbea9
96c460c4536ea39f117cdb11328791443d56f231b0873cec3592a9a223cfd97c
d4a0d2c5e3960a7a7010a7d57707bbb14843d55116f54d11ae9db94bb390e8dc
98e4d6d8d0e68a5ea2b546c96feac3f2927fdbb689f0e0e9b99e39dee4fa22ce
23d6a449cc71017cc828df441000a9728aa4695325c0357e2dae5cdb0d445ebc

Epoch 2 Payloads by Document SHA256 - All Times UTC


Creation Time	2019-04-03 16:11:00	(From Password Zip - DOC Based - ENG - 365 Blue Box)
SHA256:
1944959136488452820501c3a94c1d92103918ddf730900f10ee799abade7f1c
b2c60886c2357e26e5102cd4b96d9232310254df13f9bcf573a8d3d9de7b0745

http://sapelelive.com/pure.api/P_zZ/
https://zomorodluxury.ir/wp-admin/sV_c/
https://codbility.com/dgitalcomposer.codbility.com/k6_M/
http://love2wedmatrimonial.com/webfonts/mE_R/
http://canacofactura.com.mx/factura_admin/z_u/


Creation Time	2019-04-02 13:00:00	(From ZIP - JS Based - Fake Error)
SHA256:
ffbe73591031973cb52f6950ed61b168a0f0bda69f004db08846dfc1bd1d1920

https://entasystem.online/butter.function/T4_Px/
http://pontoacessoweb.com.br/x6o5aq7/pW_t/
http://www.liyuemachinery.com/config.replace/W_dK/
https://www.wegaarts.org/wp-includes/Lo_F/
http://afkar.today/test_coming.training/w_f/


Creation Time	2019-04-03 06:53:00	(DOC Based - ENG - 365 Blue Box)
SHA256:
4d6659512e1f705d9903d20577805f4803fa71a8d36d894bd9f23adde3ff5ef9
93f4c2581095e58d124e46901a8986f485a7d028321f67f85e17fb8f2ffdcfeb
e340bbfe29b2651d4b6f0687ab21f884edece939008227d506bf4f27d07b395e
03db2b41ffd92d49ab707fe10425202440d4444618763cbd14ebb0ddaf877516
2d6ae248c1a0cd20728d4463c2fc0c932a028f0b04c73a833f39c5758c5278b0
1995728387077cbb0fdf558905d8f452d47f65dc1560af23e0413cc5a3703547
a0cba7fc860cd5cdec3ea3744b0e4cdddcee136b0c770e2efeabcfc6326bc17c
be752b7066a082be8bf72b6017d32bf574a4bc2eed227ad1c76715eb128a20fc
31c2f585e8dfc0275247071f3e8769aba7af6c7454292d02c3518d8a918741aa
5c1e73105c3ba3af020821889f659169aec08fbe8fa754406927ba282da55638
cf6a7af412b8343527881eb75f1053cdac5b0a3b6934c690364ec9b46d7b9f44
196f7c641e4e11be712d4b472db8b88901795dd235ea0b267f045f33c9bb7abf
4b17a00142f8d03ff836bf90d9894ab7599df85fd199356f5789c079c7180c5b
9f17ffaa499b61315d3c3734dff8371176aedb00397d691848aab97031fdbf4c
a0a1d46a505c3db1f984276d5a5b0d5f2c07934e40403228d0aadcd0e4f04d35
d3e8e558418d8c90715bf1eb6184b8a0c09e635268a7dabdef3b25b93added35
b78d2ff0649f15af675407c6b15e57c745a6d8a4854aac755ee2eed0ff383047
b37884c4b291131c62f3eec13fdc9cd4f79b943c5b8d026a1201e0f579e95f25
7aad2e0c3bf6e22c2f67c4e168a160984563cbf4b877ebb0ef552591c5aaac78
e01dd387181ef37cef23eb11c04b09daf907d1293dc9ce3f272b92e4154e2063
2caa5ebe3d400b2a3c8a4508a0e95dd215600200b213c442321a18c0b16306b9
05c4c00ba63deb1bb253a8f8d4dcf438ae7a056c571ec97a885d12e10ef1121d
f7e5d344cc86f1d1026e9a7d3b0c30cff5a2cf53bc45546df6b2859b5e8652ec
2ce2439377f21b721840e76a09a69b2760824377e101f1f7a7a22a37115166a9
265824001d2583bb601f90eed3464c698d6833345669bc3d4a9a9f0abefcd3df
1ffea04fb611732aad37f6fe8861bdea11da24ad563941da4171db273384120c
23f34e4b4aecb9f01cc827ead5d65cb1069a133048da063c72af642c951878f7
9dce145f506b670e3989b7251d5b8dc1535f1828b9d774f64c536fe91c47554d
cb42827c604568f8a513010048883a10dbb83184e2526a8ea7c3a65a0005f3f7
8fc9dc78a223cc418cd458efddac72cb356ddff3d4cc3a4880c71176f2f42ccc
07c59ba3e9f12070924f072ca43182daaaf9314b993d9e3aa2acc819ca2d3856
5145bf1f2e742dc5163ff3321b8727172c0a53b25c281f958f162c91ee14520e
a538ebf9b21f16ea6797d0fe7356f1060943869e53b21b7a3151257d45cbb2b7
1a34a6b744407a560f6c22385979a38ac9e11f0b7c6b640e1e06d7b9774e33e4
ffa74fa9f3179e512e23e879b2677f51c9fd09dfc57c05ef73c3d68d0eaddb82

https://www.agenvmax.xyz/wp-admin/0L_o/
http://tcurso2000.com.br/wp-admin/a_vy/
http://outofhandcreations.ca/function.closely/g_r/
http://persianlarousse.ir/apn/z_c/
https://xclusive.store/nextpost/g_G/

Creation Time	2019-04-02 23:00:00	(From ZIP - JS Based - Fake Error)
SHA256:
f29677dc2aeb9324b6a953176bb0a64a40b9662ef26fd81760c0ce36dfead16c

http://commonsensecarbuying.com/awstats/b_ru/
http://nomadmimarlik.com/tangerinebanking/8_v0/
http://www.secomunicandobem.com/wp-includes/YL_Xk/
http://grafikonet.com/wp/6e_yq/
http://mermaidwave.com/wp-includes/r_U1/

SHA256s for Epoch 2 Payload EXEs seen on 04/03/19


c88c1fe476a34b0ca1eccaee913165754591de1f43170315fff4d11b90ee25fb
dcaa2130e68e12a620db6930e78c2d213d8a429006bdedc9aff0816ad033a8d4
c627e155a672c735219cb861b7e22842041f5145e56e7da88f8d071015f6a456
a186a24cdd085c6b4f3bb2136f1c11a3ca7475fa08e91703723797ba8cf7778b
a57ad8b5e72f94174480729805ad23eebe7a1b5e3c4cd970c8eed97f9687ef4a
354066184f09a5acb9865ffa5e0ffe56c6b6b67e9f42c87f4d0d4156e89dbfdc
4e194410a3ab30942e52bc95b3695530b800b0cbd38de4c1a321d5b9e5fd92f6
822d8c35e9160690c17e0ae9cad0cde1012b6b776fde4b834a7d3e4aa3983f1b
f533ec81a0e981892b1b8cd56c45bb8bf2c0d528971eeba1e34c96df2d1c1150
ec03a613d03532a6d23569442f7621f771138052e58556045fa807beb0632b49
25513bcb65ee561ef9b11f3c70ff4c838a7ee4420e39d0dc17e91ef20ee2884c
917f1758b89a8f51685fa8eea975f4f20d8aa62aceb92933846cfbe4bba234c0
38dbbd3a05a7775f5bd427d18629dc1b9bc6b46756f36b44d7aae1df795ea10c
b5066acbe133acb1b9dc686ce0ae05049d01a52d60c5ba1044930a2c7a6d6a65
075a89f6538a7e971f8ac0278e6f66265bcb790dfdff2f2bc76e95aae1b92544
771580e238a6b45297eabb591c0b84d38cb91922ccbbf380581b58b8928f0912
e14a657b6cac82fd559702afaa68a0c42ed52871ab775a722beaad428affdb67
e504f517eb61b09eee75fe8790d0fa0b3881e993e509bba8cbb64a4b4ebb30ce
c7e7ada0422e6a4f49c534721d71bce224c67062558c52f4593a69fbf7f8702b
1ae62be6855dad4fc4406ed520daac837f5beaf5de36c3d716185998d4d5d193
113aa67eb785baec23079210f7977e723478670c5b915bf6f7b3dc6fbd4905bb
1e917b9fef90bc40deaf6be885c481f172194c544977014ce207c957895b69d3
f7b9cd2ce687ef3900f8c2ab8255dc4a3e9507efca2409db2c615ffb377fb07f
0e3b457b55a6c10931f9db6d6810dbe6e4005c2f878e525bb6dde172595fb03a
20b4b9eb85d71b4f638d8e7e8b67773259c8a26c6f02da33da202c1567684de9
75909c71168f64b374de4b2a70076454782914793f230ef116a2c9c05363226f
8c05c7ac7797ecb957d855405db3a357066418b1366402b4ade10e7cc6d85511
e9c81e536a128fd38f805d9fc65fa29b5d939dda6df61e9666674b3486f391c5
3335397b1799bbc451213aad838e735de3dece586bc4e89bcf9ad40b435cd9ee
e3caf4ac606b3d4972e4074c0a76da661085fdb03e970ace3a64bf86fc940090
ad7881964679256ace45f058b6d25e30956992e29af5871e966c49494ef1eb24
9d48ed14b4abc56905c5875e849848447b2e8cc621d22c9f1597419be41a6d3e
003345afe8dfd32f402ec9c633f277874201e119742750199e71014dc2ea1892
cb042f5f4579588e18144d3ca3280db46bcb3b827658ca4ac9eb4afc723a6efa
da67815e7235167ea8a0c16d3b83b787d884d58ba282fccfa6ab14dea7070690
24fc999ad8587ff4d4f6044c64eb0a8c442fe7f57514947bb71953ae0769c2e7
18b3a60c41640a23563d55c0715a9ff705a99d38ca50d4a8c73acd062e9a3293
218ac49878d4d7048f718f833e6addc1dc634172a6a74e831468f55f154a3307
ce2b5bb7c8ea5dc32f27e9c4b375cdcb5ea87e0724bfc6c658d6478b884ff4d8
5897d810a2dea21670933988c81e2ffc751ef116b2eedc2b1c3631e8ff6019ed
a5d0cd444fa260f95c9d9c5bfaee7c57e6a33d00771325324c9a0ec54858ecd1
40e61e586895ef00aba3e7a803db0298beffcd6b24de528052b7e4fef27569c3
78732d62b14725712bac3880edae7899fefa1e29601ff27e412fe2fe6734922e
f12d2428ceba60e62daa18645c5d5eb0d9ddf43dc88bfa4e282ae0fb3521a719
0c3871cce228c1c5091310c8905fd272d8fc0ea2e884cdcd2484bb378f412d38
fcb92a36b370606b94be804f5536b99099a043d25b2b7aa9847e0b71a7100128
e2a0eebe4998cda68b01c97fd25904e2dfbc2552129e8f2054de5fe0787ab521
9becfd2331e7629aa079b835cdae8af67bf37070893e60083842237d1b443c60
104bd0e78f1708d4b5f0982cfd99fa565687147bd7309ae77884b17aa1076ff9
5f3f9bf98fa30f6f82eef2258ff185169271f7f172ea04d64f52fa95f0811bd9
6fd1f0df2cb097bf6d5c3fe21bfe3f7fcf8677586827896c8906e878afe78827
9fceb0c1c78d950e9131c745e6a92e12c8711c9a614c4e09a2824a65122a1b60
d788445fcdd41771a5a57ecc316748aa237cf20e53cb06f9023ecd1b7519249c
fb75957b668699f4687433eecb8867421fcf6edde186792293c44053a12e6acd
76e8037aa04e8ecd81a0f8f943ffdcf62427638c94fdb8a91e8be7858af1094f
592c243871de4e5ab3ce9e569d06102c7fc18ee5be7bd33513722791e97fe669
571dd2e896488429635b8b6ba839b94e7367775b8933e813e73fa363804dbbae
ef27c243d8572a897c28d3b21cfa9ab4fdf677aa0a559914528bacc3c1b2908a
f85761c6529ced89db5f038d6bf38773992a588446f69a7d2a499e18e09bc90a
ec23685355c030559d05401477bb259eaf3d5a01f7d8b01b6f6b461602824ae0
94b614d94c56ef579676a8161cadf6b93dbbfd04e1ff00e5b73b58ce979121a5
94ad6a4310773e7de643e259d70b34d06b685c3fff3d5ecee2b6301fafc463ff
3dbf0e22b4df9c48e993a0e16b5ac028ffab89ee133b6d707f16258cf28541ef
23155192c51fedcd4794fe3d2af52c9f3a5487cd35711cc065da703fb762796e
3b6d41db6d61e892d64471acaf28511360ab3312aa5c95b023e0f35a62ccf590
86f63c99e161226c5c7830b69be6c58cde7f1bfedc52a6d4a602b0ea7d9a07e2
4db1bfa158aef9bff689552dfd4b04f3c1a6015e395cac9acf97d4dc6b370d9d
f29164ab7d0361cc6d2424db3c8748d9101f47854e0586a77761be609dad5670
e99f805417495f1cf2fba3d85a6b04269ce38d53fe3b755f8039278b85315f4a
6f2619b70eb22cbe9487f988ca3a921b8c693740f3b5cded63104c3041bcb715
4f6a8c8b2d1689737c34ac548d5d40fd6f7b35d9b81f683310051e520f6c9e95
283b8733bb8e6a523db065a9f8d19ca4b0a3b980a15b518bbc25a6939afea860
0228edab971eb9213d206bb501bf9bd03e1920af720897b59ef4adb98b956ab4
f6ecd300d3e313c682d6502f389640ee6418729a5ed45e3d1113f8b058f312e9
0520e756ff7f98b42946006da8b80fc615513edc93666a5a6ce571b4bb084118
c74d84b05bb981413ba97134bb40c785e44d5923e72364beca2fd9470a02042b
044fbbc0634e7ab6b5a3ec5ba5caecb7d3479ff283a55610952ef6e1dd3531c2
8df5e2e08f40abcecd563480da5b68f90e466039ede9ea245d77ce7af59dcdd9
383cb9749c9b49aecf1bad48576d1a20601cbe1ec25e18461c0406df9a117731
436cb7eaf0a6bacff06f8196ce994d8856680204b85b687a3c5d2626fc128df6
fa0b10f9fd9a45180365f224decd2d69b6275f1f65c4478999aa3b7cad44ea3f
990fc6053ec3537853c31dcfaa67ee37185464d5f9bc9cafd355098abe7b3d90
8483d36d8c28264b42eaca863c4d6f37a8c2ffececec6badafbffc39fa229217
20120abc0acca179891779c566ed33e317e679d0eebcffb369b11a5b65e3102a
4bb0af4fba72f986a7b97c526adcf45248bff45135212984ff8f6042984712ac
ad47a4bf0d8da424cf318b6700dc51866bbf0bcb2fde404d1aa1d3c4b239503c
14fd095cdee8010c61f1f65adab4e122903ecce6fb4753caa9281381e7be8040
c07b88b98caa626f2d2400471b43ea992a8ce2a107f433f9c66d41b557485853
6e310ca9b1a41d2d65e9aef125469601eeaede33823823a0db9e84739fe68427
83ce2d575c87cd1c3cd534dc2b38d0525a530cbf4f79abaef7398ecba72c4a28
504d17b959eb025c3dca3645221cba5d5bd0169b5de0919cfba5a70c240337c1
cfe3ab4a4479c24d7b6d81a77aca46f405b77e87f95c4e1377135adc9641db08
0d6ba4291b66f2235df5017e91cd49accb1d15467dd3653a988e6ac4d79655d0
df833cdea8c6becb4574631c1a9d4a814e7c75ceea0703f9109a7fdd8b7e1ec8
0ed3a1c72c9e1d7ea27fb3484c51292b81388738ceebb673e8a88a01eca2e961
77f444a35b5535592b628b5257bb0906fb721eb5b99b2784454a29e8b2c95723
08494958b2e43cf1fa6d0d5e5ee1439c5912894e6de052d0ed997a6760b450f6
74815fc5d473ed8c87d53cd424b7ae01fcae0be2e8fa12bb23ab551d1e36c413
4e230e3fc375deb03495348e1f078119ab0ebc723e86ec3563b38de152c0ff82
78ae36a33997fe2bff27f42209e6a229e38694fe3a2356817e8e06f24917dbe8
4a0d139bc830b61aefbd2bac6ec3482eafb5fa000d66cd201ffab5abe50fd272
26fd1d5d142109a21df7c34b959d6f209d8ddbf2c787e6986d5cb4184eb0609c
bdef8ab24a469b17ab45dde23b8d015c3c6f8500d4a02c9392116a13ef7ef5a5
cb042f5f4579588e18144d3ca3280db46bcb3b827658ca4ac9eb4afc723a6efa
da67815e7235167ea8a0c16d3b83b787d884d58ba282fccfa6ab14dea7070690

Epoch 1 C2s


104.2.2.153:8080
109.104.79.48:8080
109.73.52.242:8080
110.169.107.239:443
115.74.214.134:443
136.49.87.106:80
138.68.139.199:443
139.59.19.157:80
144.76.117.247:8080
154.120.228.126:8080
165.227.213.173:8080
176.58.93.123:8080
181.16.4.180:80
181.170.93.38:8080
181.44.231.127:443
184.160.113.4:993
185.86.148.222:8080
186.139.160.193:8080
187.153.103.175:443
187.189.210.143:80
190.0.32.206:8080
190.104.229.114:8090
190.117.206.153:443
190.117.82.103:443
192.155.90.90:7080
192.163.199.254:8080
197.248.67.226:8080
200.114.142.40:8080
200.125.190.126:8080
201.165.102.49:443
208.180.246.147:80
209.159.244.240:443
210.2.86.72:8080
219.94.254.93:8080
23.254.203.51:8080
43.229.62.186:8080
5.9.128.163:8080
51.255.50.164:8080
62.75.143.100:7080
66.209.69.165:443
67.241.81.253:8443
68.191.37.107:80
69.163.33.82:8080
71.11.157.249:80
72.47.248.48:8080
74.36.4.206:80
82.226.163.9:80
89.188.124.145:443
89.211.193.18:80
91.205.215.57:7080
92.48.118.27:8080
99.243.127.236:80

Spam/Stealer C2s


31.172.86.183:8080
104.236.185.25:8080
50.116.63.9:7080

Current Epoch 1 RSA Public Key


MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAL9KRKWqcld40xbUZ6hRh+fPNkgJe7K+ 0y1rR0UFqc2SBmnyoR/2Ctd+8MRvU8zri2eNVkVBxCUH1Cthf3AEgRqY2kGva8gJ Wcqls3j7RztZzqFoL+wM9DNnz/OWuiyPAQIDAQAB

Epoch 2 C2s


103.12.133.7:8080
104.236.135.119:8080
105.101.6.219:8080
133.242.156.30:7080
138.201.140.110:8080
147.135.210.39:8080
162.243.125.212:8080
167.114.210.191:8080
173.255.196.209:8080
173.255.250.241:443
174.106.108.31:80
174.93.130.148:8443
175.100.138.82:22
178.62.37.188:443
181.39.51.243:993
181.92.117.141:993
184.22.6.124:7080
186.4.234.27:443
187.189.195.208:8443
187.198.57.250:7080
189.159.103.149:8080
189.190.169.221:7080
190.161.186.116:80
192.186.96.125:8080
200.126.225.56:8080
201.152.34.208:995
201.220.152.101:80
203.210.237.200:993
204.184.25.150:143
208.78.100.202:8080
211.63.71.72:8080
212.122.71.196:995
217.13.106.160:7080
24.63.218.229:80
27.130.153.101:53
45.123.3.54:443
45.33.49.124:443
5.230.147.179:8080
50.31.0.160:8080
60.49.36.149:50000
62.75.187.192:8080
63.77.201.245:443
64.13.225.150:8080
67.205.149.117:443
69.198.17.7:8080
70.57.82.196:80
73.217.113.111:80
78.186.5.109:443
83.110.216.26:8443
83.222.124.62:8080
85.104.59.244:20
87.106.139.101:8080
87.106.210.123:80
91.92.191.134:8080
94.76.200.114:8080
95.128.43.213:8080


Epoch 2 - Spam/Stealer C2s


198.58.114.91:4143
213.136.86.219:7080
91.205.215.10:7080

Current Epoch 2 RSA Public Key


MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMPLgcO0RQdJg/LTgiku57nH4KcLwHCx S0lbynOUhHhKjTnmENrMA2idUbK6hI0JRZtii9oJSlb3e5NZiCK+Qr/NB2u7ZNRc hG87aibm0ndS9xKDRXcmWwaQkF0PFuOHpwIDAQAB

Credits and Notes Section

Updated 7/13/18
WARNING - Some links may have been taken down shortly after I reported them to URLHaus.ch because they rock and report everything to ISPs as it
is confirmed to be malware. Additionally, this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
https://pastebin.com/u/jroosen
 
NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
I am providing them for your benefit in case you want to parse them to be sure.

What is Epoch 1 and Epoch 2?


What is Epoch 1 and Epoch 2? (updated 03/07/2019)

I have been tracking Epoch 1 and Epoch 2 since May of 2018. I called them Epoch 1 and Epoch 2 because they followed a different timescale of
payload updates and history. In short, Epoch 1 and 2 are two botnets with distinct C2 infrastructures with separate RSA keys for communications. 
Epoch 1 is currently the larger of the two botnets(MAR 2019) and I think it is the main push of Emotet currently. Epoch 1 WAS a smaller more 
rapidly changing version of Emotet at one point in the last half of 2018. Now Epoch 2 seems to be the smaller of the two since this time period.
This seems to change back and forth over a 6 month period. Despite having unique unshared C2 infrastructures, these two botnets have been seen 
to move bots from one to the other and show similar behaviors seemingly controlled by a single entity/group. E.g. going on breaks at the same 
time period. 
Here are some observations I have noted since I have been watching these botnets:

- Checking a document download site from Epoch 1 will deliver a document that is different than what is being delivered at the same time on an
Epoch 2 document download site. Specifically, Maldocs on Epoch 1 will have a different document creation times and payload quintets than those 
being delivered in maldocs on Epoch 2 at any one time.
- Document hashes change very 10 minutes on both Epochs while distribution/spamming are active.
- Document download and payload URLs tend to become orphaned as templates are changed out and they age. By 72 hours most are no longer updating.
- On Monday's of every week a new set of document download sites and usually templates to accompany them are generated early on 
Monday morning/Sunday night.
- Both Epoch's may share a host for binaries or documents but NEVER the same directory. Eg. Epoch 1 may have an EXE in directory host.tld/A and
Epoch 2 may have a document hosted on host.tld/B.
- The RSA keys will change every few months so for C2 communications on each Epoch/Botnet.
- Binaries for Epoch 1 payload sites are different than the binaries for Epoch 2 payload sites.
*- Binaries used to change hashes every 15 minutes to 2 hours but now (3/6/19) are changing every 5 minutes on distro.
- Each binary has a hard coded list of C2 sites unique to the Epoch it was derived from.
- C2s are never shared between Epochs/Botnets.
- Both Epoch 1 and 2 seem to go into "break" periods at the same time for several weeks. During this time binaries are updated every 2-4 hours
via C2 to stay ahead of AV defs.
- Spamming activity seems to cease on each botnet at around 00:00UTC each day. It usually starts back up around 07:00-08:00UTC each day.
- Spamming usually does not occur on weekends and the Emotet team seems to take weekends off.
- The easiest way to tell what botnet a sample is from, is to find the payload and then check the C2s/RSA Key. HINT - CAPE Sandbox makes this 
easy now, use it! Thanks to Kevin @CapeSandbox and @pollo290987!
- Changes in behavior are often deployed to one botnet and then to the other as if the first was a test. This has been observed for obfuscation,
spam template, word template, document type and even payload.

If I think of anything else to add or if anyone else has any suggestions, I will add them here.

Community Lists


https://pastebin.com/Xj1wYxbd - @pollo290987
https://twitter.com/ps66uk/status/1113360718600994816 - @ps66uk
https://twitter.com/James_inthe_box/status/1113471271344365568 - @James_inthe_box
https://otx.alienvault.com/pulse/5ca50a20578a7d058e7ff1d3/ - @SecSome

Credits

(OC from @JRoosen and/or combination work of the following)

Doc DL URLs - @James_inthe_box, @unixronin, @abuse_ch, @JayTHL @dms1899, @avman1995, @pancak3lullz, @pollo290987, @malware_traffic, 
@0xtadavie, @Bitterman59, @devnullnoop, @Bauldini, @baberpervez2, @executemalware, @leunammejii, @jcarndt, @gorimpthon, @Racco42,
@papa_anniekey, @Jan0fficial, @shotgunner101, @HerbieZimmerman, @Outkast_TI, @ps66uk

C2 info/RSA Keys - @unixronin, @CapeSandbox, @sysopfb, @pollo290987, @MalwareTechBlog, @ps66uk, @JayTHL, @malware_traffic, @0xtadavie,
@devnullnoop, @gorimpthon, @Racco42, @Jan0fficial

Payloads - @bigmacjpg, @decalage2, @James_inthe_box, @MalwareTechBlog, @ps66uk, @dms1899, @avman1995, @unixronin, @pancak3lullz,
@pollo290987, @malware_traffic, @JayTHL, @Bitterman59, @devnullnoop, @executemalware, @Bauldini, @jcarndt, @gorimpthon, @Racco42,
@papa_anniekey, @Jan0fficial, @OguzhanTopgul, @HerbieZimmerman

Spam Templates - @0xtadavie, @SaurabhSha15, @devnullnoop, @raashidbhatt 

Special thanks to @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and 
helping out with this!

Very special thanks to @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project https://github.com/decalage2/ViperMonkey , 
@digitalocean, @mploessel, @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch, 
@urlscanio and @Virustotal for providing services/software no charge to this cause!

Daily Log


Today ways interesting and I got blasted with a bunch of 64 malspams in timespan of 5 minutes at 19:42 EDT until about 19:47EDT.
They were all variations on the same theme of Invoice or Payment. Some of them referred to there being a password on the document
and others did not have the password. It was almost as if there was a high volume burst of all templates of late at this timeframe.
This was also seen by others but most malspam operations stopped around 20:00EDT or 00:00UTC. The malspam had the following format:

------------------------

From: (Spoofed Full Name) <azaliamtzjuarez@usstick.com>
To: Victim@yourdomain.com
Subject: (Spoofed Full Name)

=0DSorry for the delay=E2=80=A6.


=0DIt=E2=80=99s a subscription to submit you invoices to us through their s=
ystem and at the same time you get our business, =0Dthen  again I am just a=
ssuming on how system works.

Please sign in anytime at http://aradministracionintegral.com/wp-content/up=
loads/sec.myacc.docs.biz/ to view your invoice and access your reports.
Password: KUZJE


=0DThank you for your business!

---

(Spoofed Full Name)=0DT 437.444.6830  |  O 863.747.9347=0De-Mail:(Spoofed Email Address)


-----------------------

Around Noon EDT: Operation Zipper Stuck becomes Operation Zip Lock!

Interestingly, I heard reports today that some of the malspam coming in from BOTH epochs had attachments that were .zip files!
Not only is that a chance but we also saw the .zip files protected with a password. This is a first for both tactics and 
something you will want to take note of. One of the first people to see this was @James_inthe_box and he posted it here:

https://twitter.com/James_inthe_box/status/1113471271344365568

Later after 1330EDT+, James observed that the attached .zips now contained a .doc file instead of the previous .js file. 
The other interesting thing is that this .doc file and payloads did not appear on the distro infrastructure. 

This evening I was able to confirm that there were limited runs of Operation Zip Lock on E1 also with the same attached
passworded .zip file and a document that WAS on distro already. 

It seems like they are only attempting to use the password ruse on direct attachment .zip files in the spam templates. 
I am not sure how you could do anything else honestly because the link based spam templates would need to lock
URLs to specific passworded .zip files or the .zips risk changing later on when the message is read.

All in all, operation Zip Lock is a bit underwhelming and easily blocked at the mail gateway by just blocking passworded
.zip attachments. You are doing that aren't you?? :)

Other than the attachments, E1 was all Doc files all day. 

E2 started the day off with normal Docs but then progressed to .zip based .JS files. As noted above the .zip based Docs
were not seen on the E2 Distro infrastructure.

Still seeing the new Upgrade Blue Box document template on E1 and E2 as well as the 365 Blue Box one. 

C2s DID change for E1 and decreased to 52 from 55 combos in total. - recorded above
C2s DID change for E2 and increased to 56 from 55 combos in total. - recorded above

Interesting analysis of the .js dropper from @sec_soup:

https://security-soup.net/a-quick-look-at-emotets-updated-javascript-dropper/

Lots of changes in the past few weeks. It is clear the Emotet Gang is not happy with auto reporting and is trying
every trick in the book to suppress that including Operation Zipper Stuck/Operation Zip Lock 

That is it for today as if that wasn't enough.

Sandbox 04/03/19

(all with fakenet and MITM unless spam/secondary infection)


Epoch 1 C2 run on 2019-04-04 at 03:45 UTC - https://cape.contextis.com/analysis/61110/


Epoch 2 C2 run on 2019-04-04 at 03:45 UTC - https://cape.contextis.com/analysis/61111/