Emotet Malware Document links/IOCs for 05/01/19 as of 05/02/19 00:45 EDT
Notes and Credits now at the bottom Follow us on twitter @cryptolaemus1 for more updates.
Epoch 1 Document/Downloader links seen for 05/01/19
http://199.com.vn/wp-includes/0s8rweczh_22mqot8ogd-004539243/
http://acuscura.nl/wp-admin/trust.myaccount.docs.biz/
http://adamsm.co.za/wp-includes/trust.myacc.send.net/
http://alasisca.id/wp-includes/sec.myacc.resourses.biz/
http://altituderh.ma/wp-admin/sec.myaccount.send.biz/
http://aplaque.com/wp-content/verif.accs.resourses.net/
http://arefhasan.com/wp-admin/verif.myacc.docs.net/
http://asis.co.th/cisco-sg300/verif.myaccount.resourses.com/
http://atakorpub.com/emailing2016/sec.accs.send.biz/
http://autmont.com/vrgyd9u/secure.myacc.resourses.net/
http://auto-ate.com/wp-includes/trust.accs.resourses.com/
http://bizajans.com/engl/verif.accounts.send.com/
http://chagosaz.ir/wp-snapshots/trust.myacc.docs.net/
http://chunbuzx.com/wp-includes/sec.myacc.send.net/
http://cnl.nu/tidningar/trust.myaccount.send.com/
http://coine2c.com/wp-admin/sec.myaccount.resourses.biz/
http://darkparticle.com/MEhN-kZCXSNC8Gr55qr3_cBNaPojw-RN/trust.myacc.resourses.net/
http://del-san.co.uk/wp-content/sec.myaccount.send.biz/
http://dep4mua.com/wc-logs/secure.myacc.send.net/
http://dev-d.com/wp-includes/sec.accounts.send.biz/
http://devoyage.co/walxz/secure.myaccount.docs.com/
http://docoils.com/wp-admin/trust.accs.docs.com/
http://dotb.vn/wp-admin/sec.myacc.resourses.net/
http://dr-hadar.com/wp-content/trust.myacc.resourses.net/
http://drleisch.at/euu24ly/KsIZFPXXAsdkztnVlRbyLUAUFGF/
http://eatart.se/wp-admin/trust.accounts.send.com/
http://eduswiss.com/wp-content/uploads/secure.myaccount.docs.net/
http://eicemake.com/cgi-bin/trust.myacc.resourses.com/
http://encuentraloshop.com/wp-admin/secure.myacc.docs.net/
http://equip.tokyo/wp-admin/trust.myaccount.docs.biz/
http://feedopt.com/wp-content/verif.myacc.docs.biz/
http://filebr.com/9bl6jrd/trust.accounts.resourses.biz/
http://finergas.it/wp-content/secure.accs.send.com/
http://flash.ba/wp-content/trust.accounts.send.biz/
http://ftwork.co.uk/old/sec.accounts.resourses.com/
http://gce.com.vn/wp-admin/trust.accs.send.biz/
http://geeyun.me/wp-admin/sec.accs.docs.net/
http://geniudz.com/wp-admin/secure.myacc.docs.com/
http://georgisil.ro/ltjv/secure.accs.send.net/
http://giftoz.ru/jiy3/n5zg2fletpwq5kpod11urptkfnddx_ehwctnlpu-14149852756494/
http://ginfoplus.com/wp-admin/trust.accs.resourses.biz/
http://gjtsc.com/wp-content/uploads/sec.accs.docs.com/
http://grasscutter.sakuraweb.com/wp-admin/trust.accs.send.biz/
http://grinduarsenalas.lt/wp-content/verif.myaccount.resourses.biz/
http://hajibakery.my/hrtpoa23kd/verif.myaccount.resourses.biz/
http://highef.com/css/secure.accounts.docs.net/
http://hormati.com/wp-admin/verif.myacc.send.biz/
http://hsweert.nl/wp-admin/secure.myacc.docs.net/
http://iddeia.org.br/wp-admin/sec.myaccount.resourses.biz/
http://igome.org.mx/assets/JlMJbocezGELnLvwddXHgNQKHgi/
http://ilhankoc.com/bzgxi/QUDqTuqOEnZ/
http://institutohumanus.org.br/wp-includes/trust.accounts.send.net/
http://in-uv.vn/cgi-bin/secure.accs.send.com/
http://itafoam.com/wp-includes/verif.accs.resourses.net/
http://jaf-taq.co.uk/new/e2nrxpggzss4fwp4u48fxu02y6p_xnqukcc-595923833219/
http://jati.gov.bd/wp-admin/trust.myacc.resourses.biz/
http://jokercorp.com/wp-includes/trust.accounts.send.com/
http://just-bee.nl/wp-admin/trust.myaccount.send.com/
http://krs-tech.com/wp-admin/sec.myaccount.send.com/
http://lalalaco.com/vxaj/secure.accs.resourses.biz/
http://magezi.net/css/verif.myacc.docs.net/
http://marketingstrategy.co.za/cgi-bin/trust.accs.resourses.net/
http://masholeh.web.id/wp-admin/trust.myacc.docs.net/
http://mekosoft.vn/wp-content/uploads/sec.myaccount.resourses.com/
http://missourisolarenergycontractors.info/qr7qxgl/verif.myaccount.send.com/
http://ozganyapi.com/wordpress/secure.myaccount.docs.com/
http://pcccthudo.vn/wp-content/uploads/2019/03/sec.myacc.docs.net/
http://projectconsultingservices.in/calendar/secure.accounts.docs.com/
http://qarardad.com/wp-admin/verif.accs.resourses.com/
http://redcarpet.vn/wp-admin/verif.myacc.docs.com/
http://redklee.com.ar/css/trust.accs.resourses.net/
http://removeblackmold.info/wp-admin/sec.accs.resourses.net/
http://school118.uz/wp-admin/sec.myaccount.resourses.biz/
http://sooq.tn/g435goi/sec.myacc.send.biz/
http://spitbraaihire.co.za/Scan/sec.myaccount.docs.net/
http://spyguys.net/cgi-bin/sec.accounts.docs.biz/
http://tera-ken.com/css/trust.myaccount.resourses.biz/
http://toools.es/bankinter_/sec.accs.resourses.com/
http://toshnet.com/cgi-bin/sec.accs.docs.net/
http://try-kumagaya.net/4_19/trust.accs.resourses.com/
http://turkandtaylor.com/wvw/sec.accounts.docs.com/
http://twinbox.biz/HlAGS-YbC7afvsnwR4ytu_xrhstgsY-Ai/secure.myacc.send.com/
http://uklidovka.eu/scripts_index/verif.myaccount.send.biz/
http://unioneconsultoria.com.br/a5n3run/verif.accounts.resourses.com/
http://unitedworks.info/test/sec.myaccount.resourses.net/
http://upine.com/aju-daju/sec.myacc.docs.com/
http://vicentinos.com.br/wp-content/ai1wm-backups/secure.accounts.resourses.net/
http://vitasupermin.vn/wp-includes/trust.accounts.resourses.net/
http://warah.com.ar/2PS/sec.accs.docs.biz/
http://welcometothefuture.com/CT/secure.accounts.resourses.biz/
http://www.aeffchens.de/wp-includes/sec.accs.docs.biz/
http://www.igome.org.mx/assets/JlMJbocezGELnLvwddXHgNQKHgi/
http://www.kampolis.eu/test/secure.accounts.docs.biz/
https://abafer.com.br/ekmr/sec.accounts.resourses.biz/
https://addlab.it/dev/winegate/wp-content/uploads/trust.accounts.resourses.com/
https://dr-hadar.com/wp-content/trust.myacc.resourses.net/
https://drleisch.at/euu24ly/KsIZFPXXAsdkztnVlRbyLUAUFGF/
https://happyroad.vn/wp-admin/secure.myaccount.docs.biz/
https://jcci-card.vn/wp-includes/trust.accounts.docs.net/
https://kreatis.pl/sitefiles/trust.accs.resourses.com/
https://lekkerland.es/wp-content/trust.accs.send.net/
https://zakharova.website/wp-admin/secure.myacc.docs.biz/
Epoch 2 Document/Downloader links seen for 05/01/19
http://0618.cn/wp-admin/FILE/saJi3anvi/
http://7intero.ru/lixp/INC/BtZkpovqZ2IQ/
http://8bdolce.co.kr/wp-content/uploads/Scan/hzZgljsqZWAhPpiRgfBdPBptTp/
http://9933.az/wp-content/LLC/6ph2d3hy9cxmypxhxaq3n3mmln_nq505ig9cf-284464809/
http://agatis.net/wp-admin/DOC/7Y4aHwZ0N/
http://ageyoka.es/wp-includes/sites/xnw2mlwrj8wjveyrjuc05onss6vf_dxkfzyxw-95482952700/
http://akeswari.org/wp-includes/Scan/NRgtuE0DmxEc/
http://alpreco.ro/wp-includes/Scan/qme9yyhchfcn_6ok3sr-108976209/
http://androappy.com/nrfqm/23jkct90jd44ggdfl76f_uhbd1-379456650337219/
http://antonieta.es/wp-includes/parts_service/tWYUTOrqONYYLgTFgPFml/
http://apkfall.com/wp-admin/Document/m5no3rrq739i_87lug-887005396907/
http://apptecsa.com/img/FILE/7It4zmzZ/
http://aurora.nl/cgi-bin/Scan/oablrz5sh3kez_g57m4u-46413329/
http://autoseven.ro/wp-content/esp/QLWXanUjholwJuNjbkLetgSqOi/
http://b4events.it/ggrmwpx/jfIvRPxgMES/
http://bakakft.hu/wp-includes/Document/TVw9ZALag/
http://bastari.net/2p5grkb/lm/cOstoqVRqUKsTDSWc/
http://beyinvesinirhastaliklari.com/wp-content/LLC/XG2t770x0/
http://brotechvn.com/wldcehb/FILE/u63iTUadlDN/
http://canal8la.tv/wordpress/paclm/jQpnEVlti/
http://cbctg.gov.bd/backup/LLC/eCiLfQCHV4CD/
http://chinamyart.com/wp-content/LLC/tNJ16kafMGo/
http://colormerun.vn/wp-admin/Pages/vumsbdgcjm17n8qtawde80lovhz_hd2dq07-777785434129/
http://crypto300.com/ee4uija/KjctJocHnlxARSmERkYnqEPKm/
http://csnserver.com/blog/LLC/jW3ugzijdPaL/
http://datco.vn/cgi-bin/Document/IsPDIOnhPWzt/
http://dcc.com.vn/wp-includes/Document/nyRkSGM8DbF/
http://dec-u-out.com/wwvvv/LLC/M3NcmSPRY/
http://dev.colombiafacil.com/aj966rj/Scan/8seis4jt_dvoaxymk55-270795321/
http://diskominfo.sibolgakota.go.id/wp-content/Document/p7kVHQfQ/
http://ditec.com.my/js/INC/1vvmgMySt2Xz/
http://dj-joker.pl/etc/Scan/o7Zvz3HN/
http://docu918.top/sbcr.ltd/LLC/sNV6TBPR/
http://doufside.com/gmail_files/LLC/Qlj8ICZ4B/
http://duffi.de/wp-admin/INC/q3umw2lvf0jme42mdv7_yiwb5773t-310569600916/
http://dynamiko.in/wp-includes/INC/jrh2d53watteq1l8nlh4n8yanol_x0al19te-5034775643643/
http://echut1.co.il/wp-includes/FILE/fWoY2yEJQQJV/
http://eco-chem.hr/nj3h/LLC/JEroT2Oy3t/
http://ec-p.ru/storage/LLC/TUbTlMFsr2D/
http://ed-des.pp.ua/cgi-bin/lm/9xecdv18s587ro0iagcbqmmknz_b89asx66-1035865617/
http://ejder.com.tr/iuLYqpe6E/Document/skMwrTWsxo/
http://ekcasaute.ca/wp-content/7vdr32azuntij22mq4yl6ul7msiyw_pf15rr03-318842626767198/
http://elitgaz.su/k1npbd6/Document/Kg578rLQf9kz/
http://emarmelad.com/wp-admin/LLC/enGhRqabCE/
http://emermia.org/wp-admin/Scan/ik0P3VFT/
http://envina.edu.vn/weh2/rfs3bz5nw8crs78pr56w3_6it6mgck-4536566368/
http://epiqflex.com/cgi-bin/paclm/ppLvTuYmqAhExBTTLcGBnGOK/
http://epsarp.com/wp-content/sites/bHgZrPCbDbqAlDAYdnJSk/
http://eterna.co.il/wp-content/INC/yqd1sn9uxp_98byj-936921475830/
http://etizotera.com/wp-content/FILE/McYgar3X5B/
http://evazamlak.ir/wordpress/Document/soeutxizlb4ulghbh2wkmbw_y8ntpe6s-12042212/
http://ewomg.com/blogs/DOC/QHpryPqastqd/
http://famille-sak.com/chouchane/LLC/Ag2jkpW5j/
http://fasian.com.vn/wp-includes/l7qivj8vt61s_a54c4ub2do-507402877790120/
http://finlan.co.il/wp-admin/DOC/MFbenvrKAZ/
http://fuhafarm.com/backup/esp/iLCZjVKBDY/
http://funkey.com.tw/wp-content/LLC/i4St9syIVp5D/
http://gabriana.ro/wp-content/Scan/vzatY3C68Z/
http://gaunga.com/qajg/Scan/ZiFnzbwFvyeK/
http://glatech.ir/wbd47a1/paclm/6m9zv0snkzefi2oa7ys_bgsxzb5n-1732641113/
http://goa.rocks/wp-includes/Scan/X0u306vm/
http://hada-y.com/WWE/gbHPZTMobPbfhfMcFNTpSpyJVbS/
http://hartabumi.com/wp-content/jmg1ld-8dfso7-fbsmfur/
http://hcgdiet.club/zs7yjrw/Scan/TeA51KJiBo/
http://hellocode.id/wp-includes/FILE/Tus5IFz5VyIl/
http://hellosm.pe/wp-admin/Scan/3s6Bf9K7TEA/
http://huyhoof.com/wp-admin/SrmfTpIZkZTDmA/
http://hyboriansolutions.net/wp-includes/LLC/VYHVnnQ63r6N/
http://icosi.com.vn/wp-admin/parts_service/ISpPTfiGVO/
http://ihs.com.py/cgi-bin/LLC/XYWKgM1yEZ/
http://imam.com.pk/7f80kef/FILE/QQBYc5Ot/
http://imboni.org/wp-includes/INC/fghz3tbu33yn_k66ebx-54661321/
http://imkacy.com/wp-content/uploads/INC/8hnT9KHEvjK/
http://inam-o.com/old/jn9ad-mh8ww8-kuvlrnk/
http://inayhijab.com/wp-includes/Text/LLC/xREzwM9x0/
http://inbudget.pk/cgi-bin/8y4owvesd9adv1lndmyvc_ow5s4u5-86373036587784/
http://industriy.ru/wp-admin/HiTSxowxQfIMzCblAUpjp/
http://inpolpe.com/stock/Document/ofu14i5Xo/
http://inttera.pt/eletricidade/LLC/IqLXOEbsPo/
http://isesyoyu.jp/about/LLC/mZ1wF5rYnD/
http://isesyoyu.jp/about/LLC/mZ1wF5rYnD//
http://isesyoyu.jp/about/LLC/mZ1wF5rYnD/\/
http://isopi.org/philanri-new/LLC/zlkhdng1l8zpljtyo2xk7l_vkxj1l0u4p-07994179619/
http://itai-ziv.com/wp-content/LLC/0Oq6cCbn4499/
http://jkedunews.com/wp-content/LLC/CEJjmc3t0b/
http://johnsonlam.com/Dec2018/DOC/SdeoZqWZ/
http://jorgeolivares.cl/correo/INC/XDsC23Zl/
http://jpestates.pl/wp-snapshots/DOC/lcWEbLy5fve/
http://jsantunes.pt/wp-content/uBmDOLnXXjORmjqjFQO/
http://jugl.ro/cgi-bin/Document/4ckm032czbsgmcoey39j6i13lv_13lweu-53013366/
http://junaryaphoto.com/wp-includes/esp/HlcyQHzMIebFxh/
http://justagnes.pl/wp-content/DOC/HPCJqIdCvLroXpoDHIaMlrAATYWwnu/
http://jyosouko.club/wp-admin/INC/1BnrP4Y0x/
http://kajastech.com/ncej/INC/2n7jcAfLZNW/
http://kalat.com.vn/wp-includes/INC/H8ehc4PiXX/
http://karsers.ru/wp-admin/Scan/IdlmgQrxYEKVqz/
http://kdooenzoo.nl/wp-admin/LLC/0vLPkliS/
http://kozjak50.com/pmdi/FILE/mYy29bTJ/
http://kuwana-vn.com/wp-admin/DOC/xnYybfJYsL/
http://kviv-avto.ru/wp-admin/Scan/WWlvyhiEACMaKtsjJYMCVfAtL/
http://lctavano.tk/wp-content/sites/uPfaaVVmhCLNO/
http://letsbooks.com/wp-admin/7gsn9-vtnhk-qssaose/
http://lohasun.com/wp-admin/Document/2ybL6bjsGkXa/
http://lotussim.com/Scripts/Scan/UqKtVMyo94v/
http://luanhaxa.vn/sqeh/lm/xyrrhdcyuk_qyirb-35314660/
http://mainbild.ru/wp-content/FILE/thDLqIBRPABu/
http://mawrmarketing.co.uk/sandbox/Pages/dYRNyNVkr/
http://mcclur.es/mccluresfuneralservices.co.uk/INC/aqoteHxHqbIMdpKdOqcxCKsPGwyni/
http://mc-squared.biz/note2/Document/8nO0uIP51/
http://medovica.com/vujgtlo/3wire4m9_n21bbe-2156816613610/
http://milsta.lt/wp-includes/DOC/VCp2iBRPAW0A/
http://mobilabmb.ro/wp-admin/Scan/aOeoCGqCk/
http://motov8d.com/zxya/30s8-cda7yp-yqfmmrw/
http://mountmice.com/wp-admin/includes/FILE/zKt47WG7//
http://mountmice.com/wp-admin/includes/FILE/zKt47WG7/\/
http://mtdc.com.my/csm/mtdc_tenant/uploadedImages/INC/ErfRjWbgc5K/
http://mudra.vn/wp-includes/FILE/1LYeXAWyfwq/
http://mywebnerd.com/moodle/FILE/yutO8Dt7rjw/
http://naurangg.com/wp-includes/DOC/SecCXhu9z/
http://new-idea.be/view-report-invoice-0000263/LLC/BV0uq0s9sUh/
http://nhathongminhsp.vn/calendar/uwatf-bko7ta-yqbdut/
http://odiseaintima.com/wp-content/INC/5ng4q854/
http://oushode.com/wp-includes/p52qit8igtsbl1iu11q5x9og_ngj2jtxgt-26697814/
http://oyunlist.com/wp-includes/FILE/E0dQF3BrjsK6/
http://peaven.000webhostapp.com/wp-admin/FILE/EmConYIy/
http://pekarkmv.ru/wp-admin/FILE/l6yZ3nrMYYcL/
http://perezmyata.ru/wp-includes/DOC/j7CqpVRhUZx/
http://pimpmybook.com/cgi-bin/Scan/nih9skgWs/
http://pimpmywine.nl/wp-content/7av5a7i2qc3ehh4vy9r9hbflbl3n_a4buupt3k-603582007790/
http://pmdigital.pl/wp-includes/INC/uLzXxBrWJB/
http://pomohouse.com/wp-content/uybc0k-bejpu-zprjoc/
http://portalsete.com.br/wp-admin/sites/fRjMOSbpWjI/
http://pr.finet.hk/wp-content/uploads/lm/tJqbOIzpNnAojYjKfZZTHURdjYo/
http://publisam.com/jQ2TrO/LLC/94qzExVQWak/
http://pys.nl/euaj/LLC/zBa0gwgoWa/
http://qa.frplive.tv/wp-admin/DOC/xiCEdnSYY/
http://qybele.com/angel/LLC/r9CQHbOYiB/
http://rayofhope.ga/owed/Pages/86py4n3c4gx07ngxh5c8_ikpqxck-9882622536566/
http://salondivin.ro/tur-virtual/1hygpz-b5ex7rp-uwhljmi/
http://seorailsy.com/ww4w/Scan/RDRa5nyU/
http://servyouth.org/wp-includes/udda-e1pdc-wern/
http://sevensites.es/D1J/FILE/ZiyvqsVWdM32/
http://shlud.com/wp-admin/FILE/PdOKxlLuvErxsJTYyOCFeHAueWmkM/
http://strijkert.nl/download/519foq-wxu2j-kxpx/
http://strijkert.nl/images/Scan/l9uv88kgjn8m2tbc4pc0a_vagbp1-30861241102713/
http://tempatkebaikan.org/wp-content/FILE/FILE/7fHC23c2p5/
http://tempatkebaikan.org/wp-content/LLC/ex7HJXPDf/
http://terminalsystems.eu/css/INC/wsaaMiF87o/
http://titancctv.com/img/f3q561kb_4hz9e-274656581165/
http://tksb.net/DHL-tracking-1534878060/Scan/JQWgEI5u0Amg/
http://tokeilaw.com/a8rg/Scan/el13WDVlhSm/
http://toppprogramming.com/mail/sites/dgYVlVSsUkoSHnDBPQcQbr/
http://tpc.hu/arlista/INC/zc8e7mbnfbyibeil6cpr40t2_egfrju-908915343535148/
http://try1stgolf.com/ebay/DOC/BRyipBnKPUZBV/
http://turisti.al/xh25ohq/Scan/Y8iVWntDUaaS/
http://tys-yokohama.co.jp/FCKeditor/FILE/eWLmOWAEYCHONEaPUaoeFcFij/
http://upwest.jp/baby/DOC/WL6nnpjr/
http://urbanmad.com/wp-snapshots/FILE/ptPyzEKwifQYsP/
http://uztea.uz/wp-admin/INC/exDvXpp6G/
http://walstan.com/sites/pages/css/paclm/g45bv2e4cb2nj0moljf_lys6jqi-84198824370/
http://webdesign2010.hu/FILE/sites/UOgCWAODyhCRmEJqljwrWc/
http://wishmanmovie.com/wp-includes/Scan/o4uydsz1tp9asn5ey1l6uze0_btkkj-5107897940423/
http://www.gcshell.com/wp-content/LLC/6odpjcuphxdaacktfvzgk_cksqy2i5-90154953392/
http://www.glasspro.kz/wp-admin/INC/bwKy2DHbnGR/
http://www.glasspro.kz/wp-admin/lm/ab0xacmyxgcr5oq1dmx_b8bwrxj5g-1248840572/
http://www.onechampionship.cn/wp-content/uploads/Scan/95Iy5I8n0d/
http://www.pomohouse.com/wp-content/uybc0k-bejpu-zprjoc/
http://www.sriretail.com/api.Asia/DOC/A2dIjlhBsXp/
http://yduckshop.com/ynibgkd65jf/LLC/CRstKvNx601e/
http://yellow-fellow.pl/wp-admin/DOC/yeXC9yxjem/
http://yucatan.ws/cgi-bin/DOC/5ELzR1tzjFq/
https://ahuratech.com/wp-admin/Scan/5b4bixkcui5e91xis396c563d0y_bu40zk5-852284955204/
https://catba.goodtour.vn/wp-content/plugins/adventure-tours-data-types/assets/fonts/DOC/fouVaiw5pTL/
https://dec-u-out.com/wwvvv/LLC/M3NcmSPRY/
https://diskominfo.sibolgakota.go.id/wp-content/Document/p7kVHQfQ/
https://diskominfo.sibolgakota.go.id/wp-content/Document/p7kVHQfQ//
https://drake.or.ke/wp-content/Document/INFqqpn9qJv5/
https://eterna.co.il/wp-content/INC/yqd1sn9uxp_98byj-936921475830/
https://finlan.co.il/wp-admin/DOC/MFbenvrKAZ/
https://glatech.ir/wbd47a1/paclm/6m9zv0snkzefi2oa7ys_bgsxzb5n-1732641113/
https://gnspa.cl/con/Scan/1KgnuzBjvNM/
https://impactmed.ro/wp-admin/LLC/D0ne7VgIW/
https://inayhijab.com/wp-includes/Text/LLC/xREzwM9x0/
https://jvmahlow.de/wp-admin/Scan/td8nxrcnc9ntmco49_615sw-577633401958136/
https://kozjak50.com/pmdi/FILE/mYy29bTJ/
https://luanhaxa.vn/sqeh/lm/xyrrhdcyuk_qyirb-35314660/
https://metaloteka.eu/wp-admin/Document/C63uW6lJZeQR/
https://motov8d.com/zxya/30s8-cda7yp-yqfmmrw/
https://mountmice.com/wp-admin/includes/FILE/zKt47WG7/
https://nangmuislinedep.com.vn/wp-content/ZmSxYGYcnVUbcIIct/
https://portalsete.com.br/wp-admin/sites/fRjMOSbpWjI/
https://projectconsultingservices.in/calendar/Scan/zKUskGfhV/
https://salondivin.ro/tur-virtual/1hygpz-b5ex7rp-uwhljmi/
https://servyouth.org/wp-includes/udda-e1pdc-wern/
https://tatsuo.io/uw0ldzo/FILE/bp92oyylmkllrs_cmtmevs-5106762849/
https://tocgiajojo.com/wp-includes/SPZpqrnbLBRNIExvSjzbTmKC/
https://www.gcshell.com/wp-content/LLC/6odpjcuphxdaacktfvzgk_cksqy2i5-90154953392/
https://www.grussalg.dk/wp-content/languages/INC/3AUMQmOHY/
https://www.letsbooks.com/wp-admin/paclm/WjRYxdrfwcbfSF/
https://www.pinafore.club/wp-admin/yt648woftx81uua7nf_ja19ian-1005746630022/
https://www.salondivin.ro/tur-virtual/1hygpz-b5ex7rp-uwhljmi/
https://zerotosix.com/xclrqe/FILE/TkaQWUDxqVrFOGVxEwe/
Epoch 1 Payloads by Document SHA256 - All Times UTC
Creation Time 2019-05-01 20:15 (From ZIP - JS Based - Fake Error)
SHA256:
b4be331a9a01e5ee347770bbd63e1aa54d07febc0e3a7daeb77d171b301a483a
http://dac-website.000webhostapp.com/wp-content/7876/
http://audamusic.com/wp-admin/nt4v5zv04/
https://apk5kmodz.com/azlp/k751/
http://escoder.net/cgi-bin/u80800/
http://puntoardg.com/ybsph/yXP/
Creation Time 2019-05-01 18:00 (From ZIP - JS Based - Fake Error)
SHA256:
0fc6d87b75d77b4b03fbf75d3d3573e26e8cf7a2abc72b7569d1af87d8249da6
http://www.kyans.com/wp-admin/1De3/
http://gs.jsscxx.com/wp-admin/suLKR/
http://m24news.com/cgi-bin/74U/
http://librafans.com/wordpress/uOFjH/
http://elmedpub.com/wt92lnq/h2nS6/
Creation Time 2019-05-01 12:11:00 (From ZIP or Direct - DOC Based - ENG - 365 Blue Box)
SHA256:
c0c46dd6eda16de1374a06aac937e53b098e7fa939c5b608f1443985a801d433
5f401aefe65751c9e09131d50f1a6ea3f86f542552ecab2973a334a360357699
05c074ecb60a92bc5b436451c9a3e8bca4be0e5c3c0f797482c78756f2b17d82
3606c54dbaba863109929191dfda5771de069a4fdbdc6322ae75c549aeec3ddd
8444d472c64cef41e3a0b2f057c208b585b24d5a5db163ccd24cac2501e04ed1
567c4f99a489d6e26cdd76b719f290108f558cb49b7f5f7e2d84dc8929f7613b
e22419b24abf50f5e0895a22b94034dcb8b4d29d89edbb20814947719bd0e20b
6c53c3f9f2d4a2371367019734bed40ff98401090a297b4856b9997df56168ff
91d7ef5f96cfa136c20a9d1254aa2e60e56e378acc1aa1b043fc45f799b2a8eb
a96a5266998010dd24309a7cd7c1c9ef37099fb2c17c87c5810b2e0a31c6aeb9
20490be565895482d296a3f55e6cf4011b75e527a4da08d815900871e243ed8d
acaa26d978decd75aae429b5e4feec5108f99a044c6d6a0d217272578343626c
46f93e1565d462f05fa4e0f7c7268c05b4b1321f9616f23236f24a4cb9e8e67b
a79e58fe34d8635a83e7c907f2f32006bcb7c1c0f41861cd313d893ba9132216
a02a2191727a82b7d41fbdc5b306028286419f25dcb05d8749d72d1c0e518553
ddf24ca3ed31953b7c388bdafe3f90dd00ea82863ff4a89f43db08a2fbd84ae2
1bf9345b153b3d35023555563ca2e6c3e04ae0253da1d1f1eca99d0299094adf
852e62a35876c8ed552591964b889621a672b89c641a585f84f5b9f043f51f1e
0ba3dd8ed23e5e3827b381c218b8cc1f8140c779299e329ba5bb0fb7faea8e45
967b2314483abf6fa142677c178d54e443ecc8dfc897fbe9885e2ec7c4689075
7a36034052a169ed3149c16d119174f741ff875d806c351b89016b8f70f74626
dca33598a6b10d02e7495f4990835c5ae4922289028b4cf26a79b3470f950f58
45b3a138f08570ca324abd24b4cc18fc7671a6b064817670f4c85c12cfc1218f
660b928230b19c27af5784470778ac88f5ff33a3159b3a85d6a95b4c2593b29f
966ed70f836eaf8783f1b62555c71f4aeabc4879e7c9e1bb42bd8fafc0b4c7f5
843b0c5e37a1e11aebec6c97996346842aba88173971d018521df9312f45e277
a6b70c401b53646e2f7b91e72477ddde062bac2ac89039bd364ee6a7cebf521c
1a45ca3e584ceb8aebe05aedc7d069ef6ad504cc05a71a56ba1fef039f207655
018acc9efcccbee848293cdeb5bf2e6dfd4ca43c2421169de7d9f186a2b523cc
8f6d8f45244c4110485e886f1899ae734bf0723f34dc689b09c2940a99a3a4f7
https://montalegrense.graficosassociados.com/keywords/FOYo/
http://webaphobia.com/images/72Ca/
http://purimaro.com/1/ww/
http://jpmtech.com/css/GOOvqd/
http://118.89.215.166/wp-includes/l5/
Creation Time 2019-05-01 11:10 (From ZIP - JS Based - Fake Error)
SHA256:
224bf0e4c51f2c159c8fe260da7a858a555d5225616add3e949aa580d1c2ab9f
http://havenfbc.com/wp-admin/x1d8e/
http://best-baby-items.com/wp-content/Y1CH/
http://huslerz.com/qxr7/mV0z/
http://ikkan-art.com/crm/cron/modules/yeM/
http://agipasesores.com/Circulares_archivos/y0800Y/
Creation Time 2019-05-01 09:40 (From ZIP - JS Based - Fake Error)
SHA256:
cef6e70651a2c312234466aff9e7e39769f6d1329bb5ac435a2db453e27d882b
http://havenfbc.com/wp-admin/x1d8e/
http://best-baby-items.com/wp-content/Y1CH/
http://huslerz.com/qxr7/mV0z/
http://ikkan-art.com/crm/cron/modules/yeM/
http://agipasesores.com/Circulares_archivos/y0800Y/
Creation Time 2019-05-01 08:35 (From ZIP - JS Based - Fake Error)
SHA256:
aeeb4d50eedd8fd602417c1d59e0d0b6b3d08c4d8045eae9b69e3b1777048062
http://havenfbc.com/wp-admin/x1d8e/
http://best-baby-items.com/wp-content/Y1CH/
http://huslerz.com/qxr7/mV0z/
http://ikkan-art.com/crm/cron/modules/yeM/
http://agipasesores.com/Circulares_archivos/y0800Y/
Creation Time 2019-04-30 21:50 (From ZIP - JS Based - Fake Error)
SHA256:
b0840f0a422e5b418f84a7e2a15d30bdec48404257a8b7bd95a36ee7d6806feb
http://goleta105.com/404_page_images/Xkg/
http://www.iowaselectvbc.com/1bksryf/CpSX/
http://goudappel.org/HendrikMGoudappel/P6TUk/
http://encorestudios.org/verif.myacc.resourses.net/Qhfv/
https://www.likepage.site/wp-content/eIRNx/
SHA256s for Epoch 1 Payload EXEs seen on 05/01/19
8761299b8ebb2aed97151601195f42ced376e2e0aa83f99f0bbcbb00158627b7
bfa9f4346764ccf4f2b721cdb1ad12813907113071e7c4336cb0f68f12a04ec6
7836f573b55798a383cebaf58afc5e0a0eaf44d6d38567ad9684e1f6dfb8da6d
f86f8c15124f65581a5f04d9a6440ccc3fb66498c782724d70e90ea1a972f92f
eee540e958049bf14200c4004b53ae1431c2c74f1c74bd637235c04bc5aaa7af
83b6d73703298ede51f172f4350d372bee1c6a52969258f2fc352155c7a2a0d5
a91ecfaebbc016bfbe95e0f12cd2ede116ebf1ee65fe72fd08e76621965061d2
9c7a2f48557de238a9a58c422460921ab5152b7d1895cfb1d5df35c60dd2a76c
92528cfa2b857a8b3b1b2d0047c237293d7df35d6e2bb87f3cd9f6bd43c4a38b
31bdb034a21e53461266572889f406bf4993b79e16edae178c0efcd53674277c
df7a6381ff183a5ef0d0cdca6b8235cd7f45fe00a89895befbf6cca3a18198cd
e52503af4ce2b4a6ca4558b750569e51f48c78a20d69bd18677a8f88e8767ab1
aab08361a49990c79d9365c2e2d74779af3b7888fd5fd0ce060cddd4f89fa3f8
d405b3d838ef70c34b578f12de4ce07d0af0433886da440c1b4f5ebb59b2fc6c
4f6ca87d069bd9098267bf186a7fe0db719479824993bda552b46015116f325c
df8471d7149ad3b6fd7e8fb7541de710bba9d18296a8c5c47efc10b0f21ead05
cda7aff0d24be7a5b282c1d0503426bad30f98af2adbf0cf0f6b39bb247c531c
ca58477f814efa537cde461a433f5e3b4900df8c19c30c2feb59ace34d523153
f4e5581ee0c9d708435206419260f8d478aa1bf82056b85b277c59da7a708e86
d178303809f0e19c53a770d27a9f8c8aa74daaf896dcefb2ccc09c933a17dcf3
b0af66343f536cf5b5f3f3aa7311779ebec5cbf9485e843b1d47ba9454a9cc5f
cee42889fdbe04188000486e783db459272855339c68ee0567fb310ebadaf42b
b39c8ee04a5a120383f78b3c56b2875ff9b153ebfb8bd6897f93e04e97d761dd
7b1980602de122dab23f96c1b3b37ca852ca500f0af6969e2803815445a16e82
1969227c1da28bee28df639c351bbae36a6735d44df8ddd8056e7dbf8ee2b720
bc2d6921c23500597c74ec653c2e75dbe09a959793277edcc9137a68a48c82fa
52624fab1aa0deb4dfc51b05e6fd33fa2a5d384df7cdbebfcaadbc67fc6bc9ca
fc8b6e6d117dd5b2e8a1c09f67466875686b03556031b3a4c5fc160ee097d7d1
73f3e100acdbb2a5f5e052ff2c601420c49617a78c5af9df3184b80a684f50db
4c62f6cdddee78b2ece7fe40ded66f01b7222ad0e43ede2d8207acc4f2fc1acb
939595e2f4f28aa2b197f542186ffa7991da605c88e11fbdaf6976adeb26043c
03ae027f5da19d9d7cf5c66dd74eafae7fc8e0b581d2c49163db86b03fbd4210
0490fe90236be3419f8d139130310f6ea1513564486532fb73c25cb301730cb5
cfa5d9e71dc27f3a1a1917136fb903436ab09723c2b2ace6d11eedd1fa338ac1
9f9ede214a21709bad4f6867ef8b0d03fc6f9846c06b332d39262785a5ef09fa
5debcbbd38e34dbf9f5bcb28d1c210f1e6a11abb103dcfbc929fd782056bd3ec
fc3466d528f3ab9af45e312aa80b35497b22a16ee733c4453cf91e55a1a65d9a
e5d8aadbce59b0960dddf0d1481db1d5c6d3dc97b093938e37e82a0b5216053e
8de56b4116db08470175fa9725223dc9db0cff2e1519270e24983120bdbe9c01
d4d305469137fef7948f438a08b751649b609d791106c276a47e389aee62b636
38a269fb1d85d3d82ec4e3685b39de9f1d6cc76152f92204c2142844f5116fde
73600cd0546dc22d24b13b6f04c3fab2d0c4542e59a3eb5a8129d55253fcc886
77c839efefc8b9808c5feadb024ef781f9c8cfeb0aac780ab75ed37f19862db5
554f011dae7a765227035e96cbbed8b8a7aa4e2b5278a90d2729a29edb26e699
d1cc656d254e31f478b57dbb5aa14793a898454634563b54adcac8e5a9e16439
7321e7665289e52a9f3df5ad91ba1b8a8999fd188c927062dda32ec45c2e05be
3f226dc9ad84671d9a16acbe5c929cdd75fd344b1195ec6540b5adfd6b41529e
42a03bcd4a1bae8240ec67cdf3329fefa0aa557935e46615d5f187868ea7af4d
85b6af90e832fb63e89f08b4c88072cec50496e9744b493527b1da56abe8c12b
9fbeca3c1cfba9261dff82cb03a9f8c23a482e570ee473701dac2fbd9a95c7e4
b2224689dcad89409f61de17385afc309bad960a29ad4536544060245d98a7ff
88942565248c48d23adccfd148a15b462d376f4bddc0f1a468c72bc1ba26087f
486ede4ecff9a951261af3d267072bf75a37e7812afd91dc4c30bf5535dede8b
01eb1c5278f657f3aab9520887c944b924f102bcc7a8e7fbd7cace404c7fab6e
f7991d54db31a411d21ef1b6ef87490aa3828576eb59fbdefa57a3861d1c728c
a6bf33f3357cde20576302a2262751790ea26bb9ef8d5c918fb482fc52069c60
716afe6930ac3f9a4116e78444cba599eab3a6e4801244b9c37af230c3bd8822
2032acdf04511314d53f51d1fef7f9e62e69abbe3db0b31a0302a8545ab1bd82
4159d0ec8ea865a9e9ecb841a3072c017dbb7bc49c86c287b91e3b69598463ba
f3b63d05db4989d717bc0f8dd66fe2080cdc0d13c8ded93030ae3b70026f5e26
cda7a1f1dc730b202063b0c8e53b669ce109eaec61310f44f991dbbfc2ef8075
684c52e52cd712231a6e8abc3800253ab6cd9c43225b65f859a3f6a59b5ddbd5
e779e6a998c4524f3965b44236e36b3424f99b92b2dbfb9fcfb0b9a08f07a0d4
0b1a79aa31dcebeef99b5b718cb6c2d1a357ace4f1f3c7a43a1f1bb397cad2b8
d5c8ff4251f816bee710f7318fc6edc886099e8e737777f0ed396cc8cc88835c
33deafb6eaba894253ba1f03241012c3d1cd4cc9ae95af738811a2d009e394ee
80f992b1906e88d7356ac0e0ad51bf874b2757e0813f2d9eedadb292af0c61d5
f9ce92b1847c8b8599b174fa208727927cde25bd1f3ed7d6e7878ba942764110
bc9522f54fdb414c54ae1e0953e84b58e55bb5a2745e95da4f6269971d4e02b0
c7709b8129559ad7ab29b49ce7474fb0ddffd5bdac106d4df71b5b144f1b21d6
ee0e4a355ca653e2c2b0ab98a333423dfba30f7f84011d71fe3a6de482b35989
a0cce57894f221b63c4d5a57f3249251010da5c365840f7b63e8e3b8ee3c10bc
cb29f6b57381db527fe4c451f15f07d6cd23665ed59a2f9b4c82dc2939d84fd5
71a02cacdce2121c79f701a4c6a735dbf3fc3c96db15b4f43463471b51be8c0e
407514b4c9e300dcd589cde754ca91ff8bec7d23ff9e5e25a54d36cd83fd4509
131ca72a20ee4c1bd81246ec60a226712dfa6f0d0b6706b7b7c7c9a6f6ef5a5a
b82f2c21851dbbc28c4140767828fbd0744dd78edf663972a445f16e746e3f73
ed7c726f793ce2c8b679c3730f7f15744757c1ae463e3a19249a95729d3c1214
2cfc5cb39bcfebcefab1772f4c7c58a4162ab3a9f2f7b180c8b4c721d4e20b54
d85efb8cddbc21306a86fd25c3cc5f893af158ad8b2ead2f64cced2f8db40a48
85693122856d52a63c474cfb1f84012b9637a1f6a614f8e3d2435b675f04a24e
a47da23c782da2a70d4a865b9690b4b3ce0f63232bad2d050d38761cd4766759
2211e43983826aced3bb9c514603079efd7f363d57f5db4b8833318f8a3986dc
adb4a91c13513c9e2bc6a139502a1ae0265a0e94195c9bd240f180aee007295e
409a994c65a86dd6bbbfd27d470bdbd1f77d2e4af3a348841c9d552e4f0712a8
5990ec4728c00a5250106c9b17ab2bc1e9691b569cc0fbd77aa8e67966fb176c
87e6ae3f4b2eb77e5766b0e59ce9c516ed1ef4ed86837034838b2ad92a33ef03
074e8d30a578ea78947686e728949f873c19a588bd7c6a6c0f6e637550d3681d
579a4af3185827ecdc55d33644325a0cd3b78f1d93b74c4fe0bf1c045f9bf770
cb41db92f2c3b9afa422fc65a6df8e55d26fadac58077fa706bc5c40929c89cb
da4f245fc6bcd12fa167e3dad3253390f5cf1e05f338eb2f600a192a0c9e5a34
4736223dc510d57d7c2efc4ec0819b0e02d0a2b677f47dfbfa0b74dd8a8c9b49
21072f249066bfba07cd60adf8e69ead8a61c6c788dbb5d4211037bd5994d1fe
90042c714cf8671807ad4290921c16abf0a59816c0ab4296a076a7b10ba46c00
1b922b6513f1bf4f943e8a805c499098078909be87ecdd76eb8bc36e0f2254b6
55aa1f8411bf39676667822d896113cd0ece717cd33681e3b8c2374f93c2c503
768f9ac2e34c329924c37e8eea52fbdaa52d6b7ea102bdeea5c4de83c9a44545
321566132df9b360ad1369b6de8fd53f5b5f65ee8a73c6a005fb5f6bfd9a311b
6e9de1c28136b64972d1d9db7db36cdcf18dcfc709d614deaaa88f7a1fc6e77f
a6dca8aa15bda35ca66644d13001b34038352be03a015720c8b4f1d7a1897d4d
12f53950de8323c610cb7ceee7d9e86f686bd8c991866f51f7c3dac0f3b862d2
4c3fa7415786a48d1ec394fc7251d0986df68c33864be7f35231c36bc3cbddb1
8abef21b6b14c6055ddb3bc1b03ce17f821ac58cc7ece4f4e47dc91d1f89dfa6
0e35dbbf877d955048e24081578266b06b9d974e0d3303fdcb983157b9308ca1
953c39c126e8688290f832b85f4fbf232e9d4becce8a7b401b557ec0975318da
111dbe75b5748588679dcbbd5394ff84a289064337f28a592506ef59b673b0ea
563495968b838ec4e58f67a177e80b3eb6e7f83907b96c18d3641104be5f5d63
ade3e848899c96d32c3a887c97511cbb48c1d34eef4f4d55a3aef8d99e6d46d5
c963c95cb7e9c9fc7d0cbedeee39f601394e90d60233197d3c8101a371f2b819
89816ce9de51a13c4495fe2b3e8d6b485b352dd2597bec0a9f2a9a40cec05bb7
5a2f8e181d36726b67ef79d39c61e0a2686a9e299dda59fa7f7ba09067f36302
63b1b0237b6dab649df12992446651e40953d68c004af4792130d64acb5910da
ac3294e2c0f1c250454f7d8e5dc18a4fd20f36772eb1978d8ed676389e6c77e9
45cc0b1432b193a9da5eacf18b2fe73fa0a7f50502b59a7d6f4833b315175f62
Epoch 2 Payloads by Document SHA256 - All Times UTC
Creation Time 2019-05-01 17:22:00 (DOC Based - ENG - 365 Blue Box)
SHA256:
17f4ae8fba484e7fb87c16216ece4622556d70db4d807d8b0a4ac207eba7d015
1f7f4adf00079e629d57f4d60246bad091aaf746a26386323e414d5dfe9cf126
57f935a706180e4e617c73331cd0a57f8ae1fcaf0537e0fd11294aa0e20e0feb
8849cbdb89ef44865f23e8745eee176d529ca564c20c66da99aa5c04db555ec3
d450310c315301ebd8307408f8a534d6fd108c8649bdf0557d2c375fd7feeac5
e67b66b18eae119a39f810d45ea3987486699e4d7b83f2a43150fb4a865870e2
8c2940f2a0b9eeb17e9bbbb8c465085982bc20dbe2fd980c532eb87ca96f2090
e5bdce92d2075dbb2d3f7601032665a77672b238c34b72edc5af8dbc0ecd7912
e39ace0837155e85d59f5059bfe202ba3de02a88c848a6067c9965cadb79c5ae
d0cfa6322bfd78d66cbe8513075fb57b181eb60560ed6558c707d38110fc9c95
22b56c3fff64cc6ccc21bcd5ac8a4ce68a75b19d7586475acbb445a45144e401
677e0cc93380965dc2a1f323cf07e84848fcd41950daf4158e244113536896ac
a2fcae9f16ba8a88c03ba2fa986fa6f148dbaeac41f94546467a81b9846ae9df
4208aa9b2a8e40195be3444efc9bc9cd2accf732b249c921025207feb62a0970
f65dddc5f054d91554fe20e60a06c22d0a8a6cdd6555ba5c7098e06150c66ec7
6a817c04b3ec3fb6f85801ecf4999db95505445ecbc8f741cf2985972f2d6f75
07ad82ee6f552024b89e9569759078672295762694af017f35f64bb7284b93c3
07ad82ee6f552024b89e9569759078672295762694af017f35f64bb7284b93c3
895e4424f07b9de1284d596c17b8e10dac11fade371885fb4e8d9c73bd2721ce
314285230457396f78090f46f2faeff452e0f80e97f1b8fcc3371298cad19557
438757f58f956c0bf3c4d88c3270f25c6bef6cc6c7599d01e2050871e1c7cced
b4acd9d62915cecb1ba384e9ef86b7b9b26f38f0c0ee405ba3b4a396b44b56a9
bb393d58b6809fff86d32f6a6b5f3af0de4ecdc371a6454ecd9fd2e47f55e59b
af6b2d8591fc986c0fcb199d2526efc8e0089ace577fdbb925a7334ba5eab4ca
c0d56c06f445e3284464894bb9855dac7036a7f5e0da7183ad31c6d0c2477db2
1f4a46bf19d090bee1282d5920e1ce502620c0a50cb4d5165d735d5b52e4a79e
51d6fab6ccf8fb3460ce156af02cfcbaf6098f74d37e5d323a3d9e2c07e4b8f4
e12f25d5aacd3c073171d6f5613fcca942c7cf9cec4cedbed74acb9dbee513de
f28f62f33ff6ea0d8d9708e54142e83603afe0bcdcf1206bca2f2dfa00e05b0c
8e56b9601576954a6830441430cdbf339831df28e8b6a4c29fa76471d83594ce
fdafca6a40ef4527b1dae33e85b89efa3d854bf937e4cefe026518f191309470
fdafca6a40ef4527b1dae33e85b89efa3d854bf937e4cefe026518f191309470
899845fe4fe39f97c37bde716b7ba0b19169ea817e93cfae5d7e3cdeed7fc639
811f6ec9cc7105d1b81e5352a0b9f90df420a293afc43ba91507952e7cb49f72
571210656adbfe8cde574bb15f96232169cdfb487f4597ce1a4532c7a0258f46
64b75110604d920b41da5dedf56cabebac63da64a209a35cb664ba69764fb8a8
f0f7cfb434c2a3922d011186c1bfeeebf9cf5444b33cf90104ae09407bb65e06
f9aa8059e3a7418a2e686036ca8198cde4ba026f1d0b05ba2a32774825fb71a8
72f28f83d17f71068693f8f34ea40d09dc75d111635427f1b58fa9d4cad29558
404f20fabcaf9c4c086a38eb1cb139e49e2e08d6249ef41b88d7eb2c0e628bbc
394d047267664ca7feaa87df65b83ef559a4a97d7660e855fd84ad39ca15c17f
f485bbf5f58215b48cf1d3435a75007749edb2a502238899c462b7f8b47c410e
3b338a2b75997eba6f9666aaea6f422da3e38754657f4be7f7e0e9967c479a63
fa4963b59046a924250a2c0d7599ae98fec4d4d0ba1cdf8de575a7438c570563
897c6162e1f5089706797ca8cc5e75026d5bbc7707bac7271767e378815e514a
9af59ed0cd1f739a62f9e8f478b2d237913d0949d9ca7b0202a8d22115323f94
9c51bcdb82373007744c0dd18a11c06decaa000f48880f23f1bf9a335e5af053
60fef10a83e873748b44cf932f3e0fa0a0d891f414e591696daeefc00f0d01c9
fef5c94f160ac594834251f184900922b8b802d3b8460c3dd75f74e895e7fee9
fd0666be8043c1d58b39868e5236856bd32f80fdeb994081e9a1c59974fe101b
dc49d2d7421719050d62368d665c84629bb08d6874ade0bb8940f133b619d9ae
854cdddb19feff91dc4b4fba1ec91452c996a460cd5bd9ea2ff6e88f8c20f66c
http://depobusa.com/foamorder/tObUfzBc/
https://www.plvan.com/wp-content/vPTKWuAOUoglbXLQxJufgAVZbW/
http://hsb.pw/e5t9/zbqlHAhTtRZd/
http://mestand.com/wp-content/akMmnMBbAPswO/
http://jobstud.ru/wp-includes/QIUEwMypGbuDbhAaEimcRofGNckbVn/
Creation Time 2019-05-01 12:06:00 (DOC Based - ENG - 365 Blue Box)
SHA256:
3f832fc27ebcc0391c302aedbc3f8d3dfe7473679d5d9aa0176f9623d4306d68
910b14995ebda512edc5a456f5734c520e941fe385519c5683586a237e455321
930cace84e8704d5385df2db7557c7d3b2a183de3ffad0d3a51291745b4f9f39
2ade167cc02b318750feb789c0476581e4f2e0864c3a51fd65bd74c25534a74e
3f90bc319f969145e499fa90a32a81f0fed988320b255b0febc18befca735484
bf1f3da22c4f30cc57b35533a010fccdb5e77ea6e8f4a5179004feeecbb55e57
1a6641086b78035d6c9ba38c7199aac02d37dafbadf96059a81b6f4c35e49f84
7416ebc5373fd8a3ec9ece1dff46c15699738491d703b47f20ae4de8c59bcef0
e8c5d544a7c4f929fc3c3422dc0dfd03d2e3ab6ff8e4153f5ea104d35d1b82ce
da7420285c3586a66c0bf6aaf85c928149799cbf9392ce8e0d1aaad2edf438ee
ed12cccf232d6e24b35f114e6c8c3e2fa856a5bcc7ea2c64cd17774aedb83f7b
68e686c3f2b87d3169766ffe4bba021a8acd7648ca38c6c75be829a864558ecb
61e933a06b4a2af4239c378c84211b2ff1baab4effe6b5bf044ac4f2d3371c32
224d99639dbb488494e23f7fd8a60c75630ffc694a3114a6d4f596da2062fbe0
908ea859520fb4206c9b71577394d447dcb9794d42c86c98df0f0b8fa94f8547
42981d37b50801d5cdc23d5d9f0a1e0e20f3787e24c4d20f606d2250ce5bf804
49b5e70a242f984eadee49435aac4371ca3cb65b02b2f6fbcbfcbfbd9d985782
58c44d575aa6041c0d0e87372288f96804c1fa141ee903a67f668e73cb690dec
8622f027a26a79a5d3b23c82121b573150d9e10d2b2c7a0a0270df1e2e807cb4
db1c99298b5e34e6f10a5e054febbbbb8ebf940b4cacdcd1b1f4bf542d7da41d
6f926261cf70832a6f3332c727eb674da29212109a968a25cab4cb92fced7694
https://protemin.com/wp-includes/Zx_S/
https://moda-blog.com/wp-includes/PZ_BY/
http://chenrenxu.com/wp-content/KH_z/
http://globalent.pk/cgi-bin/5_ml/
http://eismv.org/wp-content/2_A/
Creation Time 2019-05-01 09:35 (From ZIP - JS Based - Fake Error)
SHA256:
0920828ff5b7ceb1d38a80e3f89e8d5a3cce36bfec0d134df331abcd5acccd38
https://hatmem.com/wp-content/v_6h/
http://icv.edu.au/wp-includes/RH_Xw/
http://driveless.pt/wp-content/PB_D/
http://egd.jp/wp-admin/e_H/
http://gynet.com.ng/wp-content/Ch_BG/
Creation Time 2019-04-30 19:05 (From ZIP - JS Based - Fake Error)
SHA256:
ebd4f543086e069e533320c4c4793117a0684cc46315c929067483a56c8fc478
http://sanko1.co.jp/lp/cJ_du/
http://sftereza.ro/administrator/Z_K/
http://shot.co.kr/yupdduk717/g_3/
http://shawktech.com/shawktech.com/p_Wz/
http://nobibiusa.com/yxbd/Op_u/
SHA256s for Epoch 2 Payload EXEs seen on 05/01/19
b2ee80cb05e8f2eeeeb74c34e2ec8f890280ec2c990ccf4eb7df93f078986be6
cc7f943b05fa5d7d63caa25e9f7b4bd883d1f43759e5d085269d1c0b3e9f9969
1d693a22cc447fd8714588c01364959a21a5c587a5e2276ea583fdadf3e429c3
7629bd60ebf2d6c60e861c463c1eca3e4a3d9e719934010ea560028b304c47f9
bb02369d86e4a2bce443593034a8b6a19ee3b6e8922dbadfb7cef932ccaa477e
5f821d407f467b41cb684f2c6c20720bccd018df9e2ade2bb28f7807604eb56d
1f6f2e26941bb8ff267e6cc416897e0a82e0ca51f7309fc1c270804affe7a184
70ceba71b954e7ff05486128f6c30cdc80d3bd5d0c2ce45b1e84e864058d445e
7b639b186ad249f6b15128cf690a03de01a5433a47a9b64741a34f91b41e69bc
a4b95d1dc696609c60762117f6085c8e243d1df8c9c78288cb0243647b1c078b
aa7d2395211f278a1c226f1065984709ccb59dcb8c52001ee48c5fb10a7487c5
3411468ee9eb35659adededab22c3326b1dd2b2b8f5e94ec15ac70c8ebafeac3
badb29a24f2914acb6472775407ef2fd23ff8939b82d5f9461c48bd4a5cece96
3b30615e85c2da16535d622a1ec5b0d5ccd15b728337f12ab57a0515110396b4
150fdb67ea0e24a30555dde8040d7e649dc965a808e01c05761e79b0b50e1014
b8ade66da207a86ec77cb5496f1b907d3efbe6ecca45eedc3f0a797336abe232
1fa3bf29fb4aa0ca4bafb0325bee60b916102e1dc41e8bbaad80b675d3ec546c
48c90a4b61691d91824d9a0b977e05feebb1e2c1ace4dbb53ed63475aeec34d0
dc35e88bd93d9a45023ffdd08fe3b867db5a93088a857b155807c5849840f546
a1e4576d8cfbafcf57aadec3c18b743b93df793fab989c13b159a5038f540f27
26d0b40e801745d4259f418ffcf1b07b80e1c25c3a85bb71b6602751076e1e4d
3e3f3da7ec1f70fa97caa86d56d1351cc1cfcfdb2ba75c68bf407a78e562462a
9aadce4f7de8584e42dad1058d8306c497fa997e7b33aecb738e193289c8983b
6624a70b16431f046db28a1f6092a89d4e510e9da6593da0b0ebdda57f72e6ab
1274fa7ec04ee16c4bae87828023b8b2aa26973371eeb7987e0dd1d82fe76faf
323967a0466216ba81afa736ebb34173f3d2a24e91e4d6d28a3cd53e234c21de
69ee6439a04af4c494d9c99dc5b0cc3b964e9af74f3211d4c3dd8272cc14162a
3d568c3db59c550db254d8780683acef2c1e0c5a8782f9f4c76215133bdc52dc
2e7eae369116761735414a466e45c1a2b255795e14c098fedeef2db04489c0cc
66252a0e2a416307c52eef926fd72627e2d627138be6656f6115e58dd145f062
b9456e9046c5e008ea7394c7f8634fb38285a9a141775751f06adaa39b9f017e
3a8cc2406b25d9a14ca521a891fd6137a477c2ed72fcbcbae429b680965804cf
b1a0043b475e725178ba4018775e793e1f45e079cf6cb6f22737cfe7fdcb0bb6
901085cc0ff46482fa0bf3df88dc4651391ea7b3daf301cb0b45048c637ac699
37d722e738120fc26676f78098e85e4436523eeb26ba6e166bb176d2947aafc7
55ef9ddff5ee938594dcd2f78498e9caa58c6fd7edd5087e81f7f80453f12fbf
c54f985f6eeb405e038dd4c3d161b256f0209a9f63d7d83f14835363d5389838
474fd0ef330a98329ab5a77c454cd36e23ac1489feb59c7d1187c4fa5ad91d2f
d150a9165a4b511f6b4b828f2a8c5cb1f3481740c8e25e8289ba9b117a0b225a
5f8a7c44a80bafbdebde42b34d51c2ce6aa2073ac2c55dfc92e559087695f18d
561b430a0e6fbecbf5a5ebdd9f955c10121312b702e92651d8c82f14e5c52017
94971eb9924fc4158e66d4a6ab16d190264a3ff45fdcad0f7694cc0cf6e30d22
939d1079b5e68046bc483b73ea2b607f183c356f1c4f8c0e97bc067678e656af
75a7f7dd8e45cb44abc7096d277f073b4652aeaf88c0aa6353b398195f3b0d8f
927e453cbdc34a64bb6ac5b2e307939883898cda0d08a5a2a618b61659a55e76
4c7ce5aa5ba12b2b6b8a2f0596657100170b4348b16a864ad300ec90f7f74349
34622e45aa0d4bc678df1429b180653c51e163de483064b15e5971b5aea8baba
d53f72785f645c5029e8c9289fb4d6db549662ff2b9ea324a4b4004b7fca3f57
3e8d02c59d81342d13f69b0e0ae1e0972e49e3ae2f5fcd7c920f185db5b20a91
adefe56cdbb830f3c1505cd6546fc59fdb285175d0a50dc8c742bb3924d1f27a
c933e6a30d5951cb5943b5f2996f441bccdfacc4fd4a035b92a99b8202e1fc01
dcec41043e9866580ae5d29a1ae7a992a29a8b06d6f552a414478d53007ebd6c
5005e73af04f7d1619f11ddc2b5657b20e6533a60f62df30256698b2b0b21c1a
04f7dabc8a78426db8b15ec93878bf1e1cf0bc5b25e00f06a64a08031d3a86fc
e998cbbc21badc970c1c530e1841a2ba384dc59689b9abfff2ea033be99fae30
8b90a4fc2facead1c71323f5addce373cbb043985bdae943db55a330532f452c
3904137e130dee1e240244f78ce56df08194dd1c7c5384f4965897bad48a664d
87005ace32816cc97648700aff06385ce4eb7213e1524b5277243818786cdb4c
bfd18dc8c489813c1d65485a5bced0eb03334d4e284dd01c7a06fb4c8b7c338d
8417fad607151b0c6899555076bef64a086ff93dffb0a2a5a85ecb9579740df0
73b68bbf952e6e281bc7798abccc508f01377dfb6c88356c771485c0b50d41d7
01a26c224df94b3d9cdcb4683c8ba6fead0ff47de748c6eb63fc14cb03744ad3
4e4d1b08a75e20afb13470b6db6149caa2bf617a7694645ff11f16aeaab19528
d715092d0768706bbdf4e99cfe2c43fc50892ad0bca0bab3380a6843f29db959
a038940c725ae65c713d61f36f9e939b2d407d0fa46d7f85e77003770a280263
de2d9a0f156a070b9fa0c5b87166d936e2bcdb483bc8e289a1a3436218741a78
d9532f0d8bbf03d6789cad84c7568d25066a6fedf3475df807b7539a098ba0ac
77218a0c66a00ab033d89060de3605b0fa309f01ed7038980494a249eb0b886f
c46dbecadb62cdd7a3df99b4b77d1cde501cd074f09b9740e8752ad847296973
687f28d8fa2f0058f4e87f260a06ef84e983bca27efd12dd660dd3fcbf599eed
cd1e9f21a53ca7eeacfd875aede685a78d4d0450cccad0bd85bfb7eb12a80a9f
f1bb57ae0b13ad85dae1477415447ccc702e59fa8caa16be7e4a9dfa1476c68c
8fed4e6662af05d39b16376999c8f5f2c2bc802f2699e8a197adc89c64b6abe6
cc343a4245c9d5c7bc8248a88ab529a2c6246bbc38a8f1d0c3c9c1e10dc14045
65db1126d8cadd61bb4b0e04a4d4b301781d3edf0d9df4283b6509507bb72ba9
793e5cca2f9bb94fd534b36b888d98659a8ec9237ba97536041e91ccc81cea52
eb9a92a030262e20aa1ccdac98d01dd8a9c7a2cf570073e00d24e120d9d037ea
b603a86b754527ed24c4618e9fc9459e42cc5ced95bad7b68d782e508477dcfb
7be28da7fa028d13c25b021a3276f3b27df00c856163f3656ae735f502543d7d
05a5a79ff1829ab1f06b328092f0ddc00463489f4773c2eacaca8b11e82f5d17
b6c00ef0ff0574d348f8d819511c134057f7689c769e0868bf154a4510f12817
7d8b2427a737cd1a3c1b9489684bead8902b72f3a1fe614ce273a81b4fab7045
a9b0aa162825c49747dd10f44e3acfa17e291b07621e3bfd85b37c448e426f2c
ca4bddf038eb1f05e9ea9785260d344303408cdd33aa7b9ef69de1042aba8804
beff581a3dcf2d2abbc92a9131251507036fc017dfdf3bc5d74b0f8b9e96570e
51e7fdc595507e24b9d0c460f5b6fab2f2ba6675db98d3bdecfe01ecc50a8e19
6482e697724413b307182474059c35354edb372f85939a4ae71b0b2c5e29147e
83cb93d45e6a690aa0ba8cfe27d269f3190e037d768686467b5cbde3c4e0654d
4dcfcd5e3f0da01f669dce29cd6e417703d939a55a5a14effc5f3302c78c2561
a2af79374daca830e984ea59c1bf644e9c69708d7df839cb9103cfb6d15f7e1b
5a7d4f723baf896f9a517941554e08851ace8ded68c3677ab067ecc1d0caabbf
fa0f2cfdecef9296c42861b4cba847147ff64b798b68beddc06d54e4567be1a2
043191a6bf7cfa30f330531426223cd83418c2a05bf16258d81e5d61db2427a0
04648a2348ba6ad6349572cf36bb5ee498a36e6c2fe5bcabc83dac8ec26c99a3
1870b386fc5b7bf2b89f407325806c9ededa3285aaf50bee1e17043577d780a3
697532eef1d5f157a16efcc5be206043919f3844c17c5f8d3a9ff990c6f153df
96594444dbada56b286e03448f33dede63bc5bedfa44221a45da811195e36fae
e61b92dca757c1a8ddc2e585a236f8f0242fd1878f552fea59a8a2f1bec1df56
356a994530076924eda30e72ec8f2920dbd3789af889f4ade17cfc0f9bcd3e64
0d7b524b68de328b71bd4aaf264e7aa8758979fc4441f869bfbe0a600a100adb
7afb16e3da243d7f4343118d12ea0dec00ff6d9223462cbf464f36e34febd80b
de107ca5e1e4d91ad2ef67ebabb6cb90564aa87727b99daf3d2ea8f5fa73d50c
de41699ed2764b9ebcd051b8a47e433cf246af9103541a88ac2bbe704e1a8352
ce9ac3c35886bc7fb2a10e66b5774796ccfbc9189b6c7b5b95c46c78d1af2eeb
a6ccfff49a934bc1046e5e1ba7effb53abcfc355a67b78f76486d5b14d4a5df9
74bd4f139de8ca014c29d61380e6fcdc9949946fc97881a3812807c933476383
65ce9c180eeb4250f8d9b31fbc5920e41293885c4685e7b5b2fc156843daa4a4
ea65aabffb33b122be980c2ea7a66f9ce8b3f81c83a94fff962bbc7725d8e7b7
39339326e9dfdf25361dee2e855aaf59fb05924b77cdbacddbf054c9fa913974
a1874895c2052945922bfc9a9adb17290046e03dbb47c2d5e10b9a59c0d58fe3
Epoch 1 C2s
103.201.150.209:80
103.213.212.42:443
107.159.94.183:8080
109.104.79.48:8080
109.73.52.242:8080
115.132.227.247:443
139.59.19.157:80
144.76.117.247:8080
159.69.211.211:8080
165.227.213.173:8080
175.107.200.27:443
176.58.93.123:8080
181.142.29.90:80
181.199.151.19:80
181.29.101.13:80
181.30.126.66:80
181.37.126.2:80
185.86.148.222:8080
185.94.252.249:443
185.94.252.27:443
186.139.160.193:8080
186.71.54.77:20
187.188.166.192:80
189.196.140.187:80
189.205.185.71:465
189.213.208.168:21
190.117.206.153:443
190.147.116.32:21
190.171.230.41:80
190.180.52.146:20
190.85.206.228:80
192.155.90.90:7080
192.163.199.254:8080
196.6.112.70:443
200.107.105.16:465
200.114.142.40:8080
200.28.131.215:443
200.45.57.96:143
200.58.171.51:80
201.203.99.129:8080
210.2.86.72:8080
213.172.88.13:80
219.94.254.93:8080
222.104.222.145:443
23.254.203.51:8080
24.150.44.53:80
37.59.1.74:8080
43.229.62.186:8080
45.33.35.103:8080
5.9.128.163:8080
51.255.50.164:8080
62.75.143.100:7080
66.209.69.165:443
66.228.45.129:8080
69.163.33.82:8080
72.47.248.48:8080
77.82.85.35:8080
81.3.6.78:7080
82.226.163.9:80
85.132.96.242:80
91.205.215.57:7080
Epoch 1 - Spam/Stealer C2s
31.172.86.183:8080
104.236.185.25:8080
50.116.63.9:7080
Current Epoch 1 RSA Public Key
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAL9KRKWqcld40xbUZ6hRh+fPNkgJe7K+ 0y1rR0UFqc2SBmnyoR/2Ctd+8MRvU8zri2eNVkVBxCUH1Cthf3AEgRqY2kGva8gJ Wcqls3j7RztZzqFoL+wM9DNnz/OWuiyPAQIDAQAB
Epoch 2 C2s
103.255.150.84:80
103.53.44.20:80
109.194.50.231:80
119.15.153.237:80
119.155.153.14:21
119.93.243.2:50000
124.123.42.93:80
133.242.156.30:7080
136.243.117.85:8080
138.201.140.110:8080
144.202.9.18:8080
147.135.210.39:8080
149.167.86.174:990
149.255.56.242:8080
162.243.125.212:8080
167.114.210.191:8080
173.255.196.209:8080
174.93.130.148:8443
175.100.138.82:22
176.63.173.71:995
177.230.108.144:22
177.242.214.30:80
178.152.78.149:20
178.62.37.188:443
178.79.161.166:443
179.14.2.75:21
180.150.87.75:22
181.39.51.243:993
182.176.132.213:8090
182.188.47.206:990
183.82.110.170:53
186.4.234.27:443
186.85.38.31:443
187.189.195.208:8443
189.134.78.42:50000
190.112.228.47:443
190.193.18.37:20
2.50.4.159:443
2.50.52.255:20
201.220.152.101:80
208.78.100.202:8080
211.63.71.72:8080
212.22.215.140:80
213.14.166.152:990
216.98.148.156:8080
217.13.106.160:7080
217.199.175.217:8080
37.211.38.50:80
41.169.20.147:143
41.220.119.246:80
45.123.3.54:443
45.33.49.124:443
5.230.147.179:8080
50.31.0.160:8080
50.99.132.7:465
58.65.211.99:50000
58.9.168.7:990
59.103.164.174:80
62.75.187.192:8080
64.13.225.150:8080
67.205.149.117:8080
69.198.17.7:8080
69.45.19.145:8080
69.45.19.252:8080
75.177.169.225:80
77.56.253.112:80
78.100.187.118:80
78.186.5.109:443
78.188.7.213:8090
83.110.155.238:8090
84.241.10.111:53
85.104.59.244:20
86.99.35.122:20
87.106.139.101:8080
91.205.215.66:8080
92.154.101.154:50000
94.130.35.140:443
94.76.200.114:8080
95.128.43.213:8080
Epoch 2 - Spam/Stealer C2s
198.58.114.91:4143
213.136.86.219:7080
91.205.215.10:7080
Current Epoch 2 RSA Public Key
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMPLgcO0RQdJg/LTgiku57nH4KcLwHCx S0lbynOUhHhKjTnmENrMA2idUbK6hI0JRZtii9oJSlb3e5NZiCK+Qr/NB2u7ZNRc hG87aibm0ndS9xKDRXcmWwaQkF0PFuOHpwIDAQAB
Credits and Notes Section
WARNING - Some links may have been taken down shortly after I reported them to URLHaus.ch because they rock and report everything to ISPs as it
is confirmed to be malware. Additionally, this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
https://pastebin.com/u/jroosen
NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
I am providing them for your benefit in case you want to parse them to be sure.
What is Epoch 1 and Epoch 2?
What is Epoch 1 and Epoch 2? (updated 03/07/2019)
I have been tracking Epoch 1 and Epoch 2 since May of 2018. I called them Epoch 1 and Epoch 2 because they followed a different timescale of
payload updates and history. In short, Epoch 1 and 2 are two botnets with distinct C2 infrastructures with separate RSA keys for communications.
Epoch 1 is currently the larger of the two botnets(MAR 2019) and I think it is the main push of Emotet currently. Epoch 1 WAS a smaller more
rapidly changing version of Emotet at one point in the last half of 2018. Now Epoch 2 seems to be the smaller of the two since this time period.
This seems to change back and forth over a 6 month period. Despite having unique unshared C2 infrastructures, these two botnets have been seen
to move bots from one to the other and show similar behaviors seemingly controlled by a single entity/group. E.g. going on breaks at the same
time period.
Here are some observations I have noted since I have been watching these botnets:
- Checking a document download site from Epoch 1 will deliver a document that is different than what is being delivered at the same time on an
Epoch 2 document download site. Specifically, Maldocs on Epoch 1 will have a different document creation times and payload quintets than those
being delivered in maldocs on Epoch 2 at any one time.
- Document hashes change very 10 minutes on both Epochs while distribution/spamming are active.
- Document download and payload URLs tend to become orphaned as templates are changed out and they age. By 72 hours most are no longer updating.
- On Monday's of every week a new set of document download sites and usually templates to accompany them are generated early on
Monday morning/Sunday night.
- Both Epoch's may share a host for binaries or documents but NEVER the same directory. Eg. Epoch 1 may have an EXE in directory host.tld/A and
Epoch 2 may have a document hosted on host.tld/B.
- The RSA keys will change every few months so for C2 communications on each Epoch/Botnet.
- Binaries for Epoch 1 payload sites are different than the binaries for Epoch 2 payload sites.
*- Binaries used to change hashes every 15 minutes to 2 hours but now (3/6/19) are changing every 5 minutes on distro.
- Each binary has a hard coded list of C2 sites unique to the Epoch it was derived from.
- C2s are never shared between Epochs/Botnets.
- Both Epoch 1 and 2 seem to go into "break" periods at the same time for several weeks. During this time binaries are updated every 2-4 hours
via C2 to stay ahead of AV defs.
- Spamming activity seems to cease on each botnet at around 00:00UTC each day. It usually starts back up around 07:00-08:00UTC each day.
- Spamming usually does not occur on weekends and the Emotet team seems to take weekends off.
- The easiest way to tell what botnet a sample is from, is to find the payload and then check the C2s/RSA Key. HINT - CAPE Sandbox makes this
easy now, use it! Thanks to Kevin @CapeSandbox and @pollo290987!
- Changes in behavior are often deployed to one botnet and then to the other as if the first was a test. This has been observed for obfuscation,
spam template, word template, document type and even payload.
If I think of anything else to add or if anyone else has any suggestions, I will add them here.
Community Lists
https://pastebin.com/nS6FBEDJ - @Jan0fficial
https://pastebin.com/Xd6M9J7G - @ps66uk
https://otx.alienvault.com/pulse/5cc9fa2541698480d8b9c914/ - @SecSome
Credits
(OC from @JRoosen and/or combination work of the following)
Doc DL URLs - @James_inthe_box, @unixronin, @abuse_ch, @JayTHL @dms1899, @avman1995, @pancak3lullz, @pollo290987, @malware_traffic,
@0xtadavie, @Bitterman59, @devnullnoop, @Bauldini, @baberpervez2, @executemalware, @jcarndt, @gorimpthon, @Racco42, @papa_anniekey,
@Jan0fficial, @shotgunner101, @HerbieZimmerman, @Outkast_TI, @ps66uk
C2 info/RSA Keys - @unixronin, @CapeSandbox, @sysopfb, @pollo290987, @MalwareTechBlog, @ps66uk, @JayTHL, @malware_traffic, @0xtadavie,
@devnullnoop, @gorimpthon, @Racco42, @Jan0fficial, @lazyactivist192
Payloads - @bigmacjpg, @decalage2, @James_inthe_box, @MalwareTechBlog, @ps66uk, @dms1899, @avman1995, @unixronin, @pancak3lullz,
@pollo290987, @malware_traffic, @JayTHL, @Bitterman59, @devnullnoop, @executemalware, @Bauldini, @jcarndt, @gorimpthon, @Racco42,
@papa_anniekey, @Jan0fficial, @OguzhanTopgul, @HerbieZimmerman, @lazyactivist192, @TrendMicro
Spam Templates - @0xtadavie, @SaurabhSha15, @devnullnoop, @raashidbhatt
Special thanks to @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and
helping out with this!
Very special thanks to @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project https://github.com/decalage2/ViperMonkey ,
@digitalocean, @mploessel, @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch,
@urlscanio, @TrendMicro and @Virustotal for providing services/software no charge to this cause!
Daily Log 05-01-19
General News:
New Regex patterns below for E1 and E2. Moderate amounts of spam for most people. Once again, very little malspam for me
with only 1 older generic template from E2. I am not complaining though and the less they spam me, the more I am winning
the battle. However, other people are getting decent volumes of spam and @ps66uk had 30 malspams. Quite a selection of
attachments/JS/DOC and ZIPs in relatively even amounts. It looks like attachments were pretty prevalent today which would
match what we see in the link counts. See @ps66uk's notes here:
In other news:
Brad @malware_traffic had posted some pcaps of infection with Emotet E1 that proceed to Trickbot rather quickly. A few
other members of the community also mentioned seeing this pattern today.
Brad's notes are here:
https://twitter.com/malware_traffic/status/1123661316655276038
https://www.malware-traffic-analysis.net/2019/05/01/index2.html
I forgot to include the new document template in the notes yesterday but I did attach it here later for everyone to see:
https://twitter.com/JRoosen/status/1123457018558337024
I am calling it the Navy Blue/White Letter DOC template.
@JayTHL gave a nice summary of the URLs seen yesterday in our report:
https://twitter.com/JayTHL/status/1123581349066170369
Email Template Report:
I only received the one generic malspam as previously mentioned but @ps66uk had a good writeup of what he saw today
in his post here:
https://twitter.com/ps66uk/status/1123683670831898627
https://pastebin.com/Xd6M9J7G
Important to note that @ps66uk did see 3 more reply chain emails in the at list of mostly attachment based messages.
From looking at the data I can tell he got messages from E1 and E2.
@HerbieZimmerman also saw attachments and posted here about it with a template:
https://twitter.com/HerbieZimmerman/status/1123604529319165952
@executemalware also saw attachments but as DOC files:
https://twitter.com/executemalware/status/1123584370634366976
https://pastebin.com/1NiyRDYk
Review:
What we know about the threaded templates/reply chain:(changes are marked with *)
- Emails are sourced from once (or still) compromised users all over the world.
- Emotet injects a reply into a real email conversation thread between the compromised party and another party that replied
to the compromised party on or before Nov 2018 until at least January 2019. (may be up to present) Also have seen emails going
back as far as June 2018.
- Now on E1 and E2.
- Now seeing German based templates that are essentially the same thing but in German.
*- The injected reply is usually prefaced with the following:
"Attached is your confidential docs."
"Attached please find the wire transfer form."
"Thank you for your help. Please see the attached."
*"Load instructions attached"
*"A printer friendly attachment is now included with each email."
*"Click on the attachment to open or save the printer friendly version of your report."
- Both attached and link based delivery of the maldocs/ZIP/JS have been observed.
- Attachments seem to be in the filename format of *_April_DD_YYYY.doc/js so far.
- The link is customized for the display text of the link to show the real domain of the spoofed organization.
- These templates are pretty limited in run and not very numerous.
Link Regex Report:
Regex directory patterns - The following patterns were seen active today. Note the * next to the ones coming back
or that are new. Also the new patterns showing up today on BOTH E1 and E2. It seemed to stick more to E2 though
so I am not sure what that was about. This seems to cover them well:
E1
\/(Frage|Nachprufung|nachpr|sich|sichern|vertrauen|([DdeEnN_]{2,5}))\/([0-59\-]){6,7}\/
*https?:\/\/.+?\/(sec|secure|trust|verif).(accs|accounts|myacc|myaccount).(docs|resourses|send).(biz|com|net)\/
*https?:\/\/.+?\/(assets|esp|lm|paclm|Pages|parts_service|sites|wp-admin|wp-content|wp-includes)\/([A-Za-z0-9]{9,27})\/
E2
*https?:\/\/.+?\/([A-Za-z0-9]{8,30})_([a-z0-9]{5,10})-([0-9]{8,15})\/
*https?:\/\/.+?\/(assets|esp|lm|paclm|Pages|parts_service|sites|wp-admin|wp-content|wp-includes)\/([A-Za-z0-9]{9,27})\/
https?:\/\/.+?\/([a-z0-9]{4,7})-([a-z0-9]{5,7})-([a-z0-9]{4,7})\/
https?:\/\/.+?\/(Document|DOC|FILE|INC|LLC|Scan)\/([a-zA-Z0-9]{8,12})\/
These Regex patterns are to be used experimentally and at your own risk but they caught 99%+ of what I saw in link malspam.
Payloads Report:
Still seeing E1 and E2 going back and forth between the new and old loader. The current state of things is:
E1 Distro: old loader.
E1 C2: old loader.
E2 Distro: old loader.
E2 C2: New loader.
Everything on E1 was ZIP/JS or ZIP/DOC today except for a small point in time in the middle of the day were it was straight
DOCs. They were the DOCs in ZIPs previously though. :) E1 seems to testing ZIPs for attachments/links with the old loader
to see how effective it is. Seems like a lot of attachments came from E1 today.
E2 was basically straight DOCs all day with the new loader in C2. I assume they are testing the new loader on E2 and some
of the new Regexes above to see what infection rates are compared to E1.
C2 Report:
C2s DID change for E1 and increased from 57 to 61 combos in total. - recorded above
C2s DID change for E2 and increased from 74 to 79 combos in total. - recorded above
Closing:
The new Regex patterns were interesting today but I hardly noticed because of the lower spam volumes in my personal environment.
I was thinking that Ivan had some tricks up his sleeve but I think it was just another empty vodka bottle.
TT
Sandbox 05/01/19
(all with fakenet and MITM unless spam/secondary infection)
Epoch 1 C2 run on 2019-05-02 at 01:00 UTC - https://cape.contextis.com/analysis/70865/
Epoch 2 C2 run on 2019-05-02 at 01:00 UTC - https://cape.contextis.com/analysis/70864/