Daily Emotet IoCs and Notes for 05/14/19

Emotet Malware Document links/IOCs for 05/14/19 as of 05/14/19 23:30 EDT

Notes and Credits now at the bottom Follow us on twitter @cryptolaemus1 for more updates.


Seen only in attachments


http://abughazza.com/hsx4d/esp/u75rdlq64ir_20ffez-369627642185527/
http://acgis.me/wp-admin/rx09d8g1r4t_1ttn4g56-11387282/
http://adrolling.co.uk/cgi-bin/Document/xnps7se5p9027k3gosifzabes1x4n_27jlip-740191600447332/
http://ahmadrezanamani.ir/css/odxco40-jjjpi-xjslyy/
http://akihi.net/test/sites/167i2xvlgyis76mw61uvqqme13_b0af62-171181877/
http://aliattaran.info/r6cqohl/Scan/bElAKQUYJahJwfQZLSxm/
http://alistanegra.com.br/cgi-bin/ix1jc21-at6z6-qzgbh/
http://anjoue.jp/academy/9x81l-c8ja2-wrakkkd/
http://apps.cartface.com/wp-content/plugins/hunl-vio2dux-mdmh/
http://autorepairmanuals.ws/homepage/bSDjvZYCUYyxvldpcWiSpz/
http://ayashige.sakura.ne.jp/CGI/parts_service/ksDqudmXNvlaBwGVoFEf/
http://blackdog.sakura.ne.jp/bbs/fv1i3uw-kdm0fvw-acfnf/
http://blog.olawolff.com/wp-includes/sites/feMORpkEyzPPjNgTiZSmG/
http://blog.ysydc.cn/wp-admin/GLcYGEFSNIWOJveRO/
http://blogs.ct.utfpr.edu.br/direc/INC/uIdEMaPKdBqQYlDQHdzQyh/
http://bondhuproducts.net/ewjdmwf/7gjyjj-l0zzl-iwxxxad/
http://bunz.li/hcsr/paclm/iv1m7z2ov4aeyd9oowc_4z35x-71533411096933/
http://buxton-inf.derbyshire.sch.uk/wp-content/rrpnthz-mw1cqv-kivs/
http://cabindecorpro.com/2pol/parts_service/7ci4ep7byrn5wu5204prv4nvo_1yhqddpb1k-8890423987693/
http://camereco.com/wp-content/languages/4b3u-9vk9z0y-wmztpu/
http://camponesa.ind.br/wp-content/uploads/a87nb2-0m8dk-uvxe/
http://citrixdxc.com/wp-snapshots/parts_service/qEkwIAxwfTVtpEDixSmDMrVE/
http://clinicadentaltecnik.com/wp-content/mmjmtp-9v60tm2-dpgj/
http://cn.willmoreinternational.com/qher/6dk1x3izjg86s5zqcavcm_n97ccg-5164862602815/
http://coebioetica.salud-oaxaca.gob.mx/wp-content/uploads/nts68xu-zmfzf-rumb/
http://dalatmarketing.com/wp-content/8ze2s9-8t0a98p-psay/
http://data.iain-manado.ac.id/wp-content/parts_service/xhgoodKaIgTrqSlftsrtI/
http://deliciasurbanasfastfit.com.br/wp-includes/DOC/mbphvd9r_r4or4-37681815367/
http://deliciasurbanasfastfit.com.br/wp-includes/DOC/mbphvd9r_r4or4-37681815367/\/
http://design.bpotech.com.vn/fueru/m91cu-41qbnnv-akvbm/
http://designbaz.com/wp-includes/7mayq8-s2f91v-gvonqoi/
http://dmamit.com/wp-includes/parts_service/UIxJOOXHQttwCXbxGajffNfXeGA/
http://dp5a.surabaya.go.id/wp-content/i0vccrz-b69c8p4-wbch/
http://engenerconstrucao.com.br/nfuvi/sites/MseVOOlEmisvQjGBuQvXHcfGyQLtJ/
http://ensignsconsultants.com/wp-content/Scan/6pp1tyfd7wjwqk374jd5kssdpkriu_1fo2ye-1740947321/
http://esmocoin.com/engl/tMTtsSSBlRHGaeVHfG/
http://eurotechgroup.ru/wp-content/07h1f4-f6bcu9-oxiix/
http://helpforhealth.co.nz/css/acbm9-kwj7h-peujkrt/
http://heritagehampers.com/wp-snapshots-hacked-remove/s9myp-nyow6v1-svzncrf/
http://hsm.co.th/wp-content/uploads/4mkw7-ge0t7a-bgwea/
http://iberian.media/wp-content/parts_service/kNPBylOT/
http://ifcingenieria.cl/15395MZFKWK/LLC/JQHZAArPeybIBtZQrONEYpV/
http://innovate-wp.club/wp-content/uploads/qys2ebt-iwbbk-alhrxs/
http://interlab.ait.ac.th/wp-content/cache/d81mzmq-fosl9-xorltbb/
http://jamsand.com/about_3/paclm/OsllaPAGnGOHMo/
http://jordanvalley.co.za/wp-includes/Document/ujphaxe9mddatnxfsy59434_8hi8ods-77793165/
http://jsc.go.ke/wp-content/uploads/1i65w-ouoocl-sekjr/
http://jutvac.com/css/lm/SvkTiVffJFjKEnxqnE/
http://kabloarizasi.com/wp-admin/esp/fbe8arp6_935orj-581215178074/
http://kanax.jp/koku-no-mugon/kieaqWtWQUch/
http://kanoan.com/cgi-bin/KnLSEhvhByrMdJyndQuqH/
http://karenanndesign.com/_vti_bin/esp/8mdys2sisoj5veh_cegy3gle-41684013/
http://keita173.net/0kyoto20120906/paclm/LeOfdbEAOzLxiCTomMgbwoUuOAM/
http://kerosky.com/wp-content/DOC/dktSNTtfSpqXrZblmTRXtE/
http://kiichiro.jp/blocks/paclm/OrEOtIlgvMfQZNzwHtnyBvQCehcHBX/
http://kinotable.com/image/nlyt204pfwxvp2_s5s081inzc-01418077986/
http://kirakima.sakura.ne.jp/_yoru.html/lm/KitGyeaokbtqqnqdXeggNeoqh/
http://kndesign.com.br/alarme_files/DOC/CMaBzJzQQmzlagoVZdgFCEGHDaDZo/
http://kongendo.com/images/Pages/lDpbdoYAkjtKVaTAkZKaf/
http://kopiroticentral.com/wp-content/parts_service/oqw472pajmixlzhtb5xben_39u2d3b2-83233810/
http://kralpornoaltyazili.xyz/wp-content/tt13c-539ty-vvqfr/
http://ktudu.com/wp-content/uploads/esp/izdqe5tg2d0bmzwriq6vb550ula_6ojur-8467335352073/
http://kujuaid.net/2005/DOC/6u9917zb_fyugiclmdb-71542144755215/
http://lapisvia.com.br/qqggee/lm/22cytxvf3g31rmn7hy8a920q2b_fpjhcp5n4-96280875559174/
http://lc2training.com.br/arquivos/xamwlw8-dms7o-dtjbne/
http://lejintian.cn/wp-admin/parts_service/u0hovmjmmyv1l32_tyg484j-650166756659060/
http://leonxiii.edu.ar/postfixadmin/Scan/SSyinfvsDxgEPPpmWYBsSldCdrVW/
http://lombroso.com.br/blog/pages/ecfvyhgmcgqteaqposqhkfmqgzar/
http://lucky119.com/wzzeb/u3a7k6g-80iywm-pnmkh/
http://mahala.es/live/c453k5-fn42h-iklsbb/
http://maltestefansson.se/wp-admin/kzXSCWlKeedtd/
http://mamabebe.pt/wp-admin/v3gft3-nknh2q-ebfypda/
http://marketidea.in.th/wp-admin/0mkcr-mrfa9l-xurtcu/
http://mazury.vip/wwrqj/2nbol-s2iin-rparhh/
http://mediafrontier.co.za/wp-content/uploads/2019/Scan/2qic3ym5zbrmes46pz60ca3b3h_ope82iv-5451732251/
http://mekosoft.vn/wp-content/uploads/v7tw-huhsd5e-zeaa/
http://memcom.bradleyrm.com/wp-includes/paclm/om6bqfr63kf_5d8inhyufd-713057321763/
http://mhfa.org.mt/live/paclm/cx3h7v0y8cwr5hjsvfk_ay7qw-04997084013/
http://michelletran.ca/wp-includes/r2od-b0f14-cfgxwpm/
http://mybestlifestyle.com/wp-admin/kft55rx-5jf54hl-iqbrakm/
http://myphamvita.com/wp-admin/or1fkvw-hh2y3-mkkqxj/
http://mysterylover.com/corenascreations/zencartcatalog/cache/7949-zhv1x9l-neiwp/
http://netmoc.vn/wp-content/esp/fmep4j2q2lk2ods963wd_go6wpghnnl-16767374/
http://newlaw.vn/wp-content/nuifvvy-6846u-ogaufjt/
http://newlaw.vn/wp-content/wbqu-3rwy357-taka/
http://nextleveltravel.es/language/INC/daTpvRgY/
http://notariusz-balas.pl/goqtirm/3j9p-heahs6-yvrmt/
http://notic.fr/wp-includes/LdMJIMLSPrBUhzV/
http://novaan.com/wp-includes/wrfxa-ti770h-pkvh/
http://officesolutions.com.bd/wp-content/parts_service/zv6po5ck8pbq4sm7u0o3nf8q3p3ocg_i2uj5pa8np-974865408639391/
http://ortusbeauty.com/error/jr6x5l2-gxy7qnp-clulnfu/
http://parvaz.me/gkjgo/iazuv-32wnjt-oawe/
http://perumahanbaru.com/gading/FILE/m6piknegtaj2lt6p0yz3vc2c0_ug6py-81955318960920/
http://phuclinhbasao.com/wp-content/uploads/bu5q-6mqm33-sajpb/
http://pomohouse.com/wp-content/INC/jy5yfs8a0sb4wb0tf2ebj_2axwtvd7b-2482537198857/
http://pop-up-brands.com/test/6usr6w-gqh47-mmpexfk/
http://portal.maesai.ac.th/images/lOTElcljRgeXG/
http://protechcarpetcare.com/wp-includes/parts_service/znnb0e0awx4vx9kq87ny3zu90_akm6pfp8df-231360640/
http://purplebillioninitiative.org/wp-admin/v3ox-xalpj-eecdrtg/
http://rccgambghana.org/wp-content/QaOdVZvzvkAXgl/
http://regipostaoptika.hu/wp-admin/kj6e-o0135-heldpqp/
http://render.lt/deze/files/ext/meThzlxRRjwSYYYFJKzi/
http://robertocabello.com/wp-includes/y3fb-1i99t9d-befe/
http://romanemperorsroute.org/wp-content/SFXYXtleyyXjhCbyNrkHHjzenEG/
http://rostudios.ca/store/FILE/lfn1rszufp4c9f5qjv3u67pfm_wpafpiixmt-04140375847/
http://roubaix-coworking.fr/wp-content/wj7hitf-vba84p-iyluwe/
http://royalqueennyc.com/wp-admin/atix-7iyhw-cpls/
http://school118.uz/wp-admin/fojyx-e7tbpge-cmfvos/
http://seorailsy.com/ww4w/lm/b7gm3eq7e9y_7lknujo-21675234/
http://shikrasport.ru/wp-includes/Pages/IJrOdBKNcjNbIIkGFWOKKf/
http://shirdisaibabamalaysia.com/wp-includes/Pages/jffLyYJxUi/
http://shop.deepcleaningalbania.com/wp-content/FILE/gkfy0uk8cmqk_loe22-88959229/
http://simplifyglobalsolutions.com/xgcwh/parts_service/DRGvBguspZs/
http://smart-ways.tn/ind/Document/zCYktFvdoMzwrA/
http://socutno-varstvo.si/wp-admin/girb-jw5fku2-ekjpb/
http://solmec.com.ar/old/sites/t8md91c5s0ktltc7r0wryrquiq_auy5xftb7-2182217120241/
http://songdung.vn/4d4ixle/INC/XyoGxMSoAYq/
http://sparkcreativeworks.com/cgi-bin/k0sy1gi16f_3nmxz-249204028130647/
http://sph.com.vn/3pql2w/c4kp-ahi3iw1-refr/
http://suadienlanhthaibinh.net/wordpress/paclm/QrYXxASIDbGjDrsLVLqlNJdpj/
http://suckhoevalamdep.vn/wordpress/DKXJXxWluamOXIdv/
http://sugikahun.design/wp-includes/lm/meAUulLGFcZWtmEWK/
http://sukhiprasadsatyanarayan.com/ijh00uaxy/owr5-flkpjgh-aghnypf/
http://sunpet.com.vn/wp-admin/INC/d0pvlwaj1jj_cvq3o-6108898585/
http://superfun.com.co/wp-snapshots/3meaizs-wqvtywf-kfbwz/
http://sushilinesurabaya.com/wp-includes/esp/9hiqzbvv3lqez3u_k4gj2-6319207089/
http://svetovarussianlawyer.ru/wp-admin/paclm/HPniqkfhaIqYRPAXoPtEZ/
http://swtsw.top/wp-admin/uz98i-fpmkem-utse/
http://syafukuseijyukai.com/wordpress/qoskh-gcooki0-fkqp/
http://syroco.com/wp-admin/fxbx-cdv2gl9-cwvt/
http://taimu.jp/dairy/npzmndu4zux_d97w2a16-788758797/
http://takosumi.sakura.ne.jp/GalleryImage/2svog-7uktrtv-ptwaf/
http://tamta.gr/wp-content/l0rvc-p7cfefj-mikhg/
http://tattoocum.xyz/engl/DOC/TsxGjoCfDP/
http://telepostal.coop/cache/DOItWsxzzYzEdYJdEGuWOzRNcIzAjZ/
http://test5.freebottlepc.com/tuzpq/FILE/cooujsc19a2cegnj6_tcmotog-266543746/
http://tienphongmarathon.vn/wp-content/Scan/suEAwPKZxHIU/
http://timebank.ai/wp-admin/Document/SXtmLuuaUV/
http://tngeblog.com/wp-content/eOoNYdaXJJfTVftGsKN/
http://tpc.hu/arlista/FILE/xaax234mcwydae902gf1ya_wnz0g3-226314364698937/
http://travelwithsears.com/pantallas/sv1i-8cuy3d-wtpg/
http://trvipifsalar.com/wp-includes/DOC/vwaatfVfwmZFru/
http://tsatsi.co.za/au0aag/parts_service/66vn86cuyg804mls4_ahos19w-822538932904122/
http://tuslav.com/wp-admin/18yp6-9acrdg-daxjemr/
http://vancouvermeatmarket.com/wp-includes/sutpl-6hnad-ggjjpfj/
http://vantageautocare.com/anfdu/paclm/YICQkKpnRErgaGmsdAwfL/
http://vegapino.com/wp-admin/esp/XBCCzqPIqSBkQlhdkiplheIkCLZK/
http://vipro.life/cgi-bin/lm/aMrvQePJxl/
http://was-studio.com/wp-includes/Document/zg943o2bnpsc4ukw_ztcsu-25937618/
http://webshop.se/u3j0/GbzIZOukGhpzRgNxOXrLWtzSvThe/
http://wordpress-263723-820316.cloudwaysapps.com/wp-includes/parts_service/DdkQiEVJWgjYpqYVwDkIaP/
http://worldtouriosm.xyz/sitemaps/Document/u74c4g7do2_hm23qc3-2455270045016/
http://wsg.com.sg/@eaDir/sites/jHxMXwXZoKKJhbfqITnjpjD/
http://www.camereco.com/wp-content/languages/4b3u-9vk9z0y-wmztpu/
http://www.citrixdxc.com/wp-snapshots/parts_service/qEkwIAxwfTVtpEDixSmDMrVE/
http://www.lombroso.com.br/blog/Pages/ecfvyhGmCgqTEaqPOSQhKfMQGzaR/
http://www.mahala.es/live/c453k5-fn42h-iklsbb/
http://www.nextleveltravel.es/language/INC/daTpvRgY/
http://www.pomohouse.com/wp-content/INC/jy5yfs8a0sb4wb0tf2ebj_2axwtvd7b-2482537198857/
http://www.shirdisaibabamalaysia.com/wp-includes/Pages/jffLyYJxUi/
http://wywoznieczystosci.pomorze.pl/wp-content/nlu4ory-1qpme-glkml/
http://xcalculus.xin/cycling.xcalculus/esp/gv20ibph6x_fmz0yw-11364222814587/
http://yashitamittal.com/15gv/parts_service/y9ra0t8dy9yyqfqprs1ikq_hz1l7-69692875/
http://yoloaccessories.co.za/ukhz0yw/qany-2urknrp-pfdo/
http://yumitel.com/cimg/LLC/ieEcQMpnVTVEbkDegVPciEckT/
http://ztshu.com/wp-content/bgcxq-lnrlu-tdhrmc/
https://0xbitconnect.co/wp-content/9b1nwg-5mixk7-xizo/
https://acgis.me/wp-admin/rx09d8g1r4t_1ttn4g56-11387282/
https://acgis.me/wp-admin/rx09d8g1r4t_1ttn4g56-11387282?/
https://akihi.net/test/sites/167i2xvlgyis76mw61uvqqme13_b0af62-171181877/
https://apps.cartface.com/wp-content/plugins/hunl-vio2dux-mdmh/
https://blog.mymealing.ovh/wp-snapshots/mookm-bfbwg7c-gdqrmpa/
https://blog.olawolff.com/wp-includes/sites/feMORpkEyzPPjNgTiZSmG/
https://buxton-inf.derbyshire.sch.uk/wp-content/rrpnthz-mw1cqv-kivs/
https://cabindecorpro.com/2pol/parts_service/7ci4ep7byrn5wu5204prv4nvo_1yhqddpb1k-8890423987693/
https://deliciasurbanasfastfit.com.br/wp-includes/DOC/mbphvd9r_r4or4-37681815367/
https://design.bpotech.com.vn/fueru/m91cu-41qbnnv-akvbm/
https://dmamit.com/wp-includes/parts_service/UIxJOOXHQttwCXbxGajffNfXeGA/
https://dp5a.surabaya.go.id/wp-content/i0vccrz-b69c8p4-wbch/
https://engenerconstrucao.com.br/nfuvi/sites/MseVOOlEmisvQjGBuQvXHcfGyQLtJ/
https://expeditiontoday.com/wp-content/FILE/juljzqwqg89goz13ll_kjsb64rpqy-8791587564/
https://heritagehampers.com/wp-snapshots-hacked-remove/s9myp-nyow6v1-svzncrf/
https://icdt.unitbv.ro/administrator/parts_service/w8qca00eqy7nq01gf918yqpr22z4_rpev90d-196767120862359/
https://innovate-wp.club/wp-content/uploads/qys2ebt-iwbbk-alhrxs/
https://jordanvalley.co.za/wp-includes/Document/ujphaxe9mddatnxfsy59434_8hi8ods-77793165/
https://kerosky.com/wp-content/DOC/dktSNTtfSpqXrZblmTRXtE/
https://kralpornoaltyazili.xyz/wp-content/tt13c-539ty-vvqfr/
https://lucky119.com/wzzeb/u3a7k6g-80iywm-pnmkh/
https://mamabebe.pt/wp-admin/v3gft3-nknh2q-ebfypda/
https://memcom.bradleyrm.com/wp-includes/paclm/om6bqfr63kf_5d8inhyufd-713057321763/
https://mhfa.org.mt/live/paclm/cx3h7v0y8cwr5hjsvfk_ay7qw-04997084013/
https://mybestlifestyle.com/wp-admin/kft55rx-5jf54hl-iqbrakm/
https://notic.fr/wp-includes/LdMJIMLSPrBUhzV/
https://notlang.org/cgi-bin/eedqg4-2yl0s-bxannkx/
https://ortusbeauty.com/error/jr6x5l2-gxy7qnp-clulnfu/
https://perumahanbaru.com/gading/FILE/m6piknegtaj2lt6p0yz3vc2c0_ug6py-81955318960920/
https://purplebillioninitiative.org/wp-admin/v3ox-xalpj-eecdrtg/
https://roubaix-coworking.fr/wp-content/wj7hitf-vba84p-iyluwe/
https://royalqueennyc.com/wp-admin/atix-7iyhw-cpls/
https://smart-ways.tn/ind/Document/zCYktFvdoMzwrA/
https://solmec.com.ar/old/sites/t8md91c5s0ktltc7r0wryrquiq_auy5xftb7-2182217120241/
https://tamta.gr/wp-content/l0rvc-p7cfefj-mikhg/
https://worldtouriosm.xyz/sitemaps/Document/u74c4g7do2_hm23qc3-2455270045016/
https://www.clinicadentaltecnik.com/wp-content/mmjmtp-9v60tm2-dpgj/
https://www.telepostal.coop/cache/DOItWsxzzYzEdYJdEGuWOzRNcIzAjZ/
https://www.trvipifsalar.com/wp-includes/DOC/vwaatfVfwmZFru/
https://yashitamittal.com/15gv/parts_service/y9ra0t8dy9yyqfqprs1ikq_hz1l7-69692875/

Epoch 1 Payloads by Document SHA256 - All Times UTC


Creation Time	2019-05-14 16:58:00	(Attachment Only - DOC Based - ENG - 365 Blue Box)
SHA256:
ad3bd25e5369a634ca73916b76e1a5e4d83ce7eb41025dc7e0d8bc3c25bdb46d
6645a5f0656f769fddc8fd7ff748c698b17aa17a7671f6e79f429463c01a3581
4919226d79001ff770e78b9d654577e4baa97719da2d32cd4d12c8babda318ad

http://12bdb.com/wp-admin/qm6xxb651/
http://flystuff.com/wp-content/uploads/ual30/
http://icaninfotech.com/wp-admin/20/
http://spacermedia.com/wp-includes/l4ic57758/
http://rmhwclinic.com/wp-content/sy3/


Creation Time	2019-05-14 06:53:00	(Attachment Only - DOC Based - ENG - 365 Blue Box)
SHA256:
18ccc8626a42e63b9e38afb6751880c812204e48857ce842b7f1481ae021dff5
a69ad422c2ee9395eba421651c5d1d72cb838078dc88071d88cf0268edf0d62b
97b2e93b48b3fbb8feb4573a0498282dd32479f7dced803daf9229291a0c901a
8075c2e1b78ed94622fc605dfc561ea88c80218720d068a0453ace95ecde5f91
d148d5ce282dd942522d22f4b8440644bfa2ac8627d300f8868aacbb0f5aa8b2
920aaf040f39fc68b7991138c9ec95fcd47133a22bc6f515a577254b54a4a640
f139cc52b7f4081794d752583dd2b8c6e1ca7bbe9343499cfdbf9a54aadacc86
840115e25f1d7bf02cb85882f4378180e70ee49c66e2f0211d730d71500214a9
47c7a4eb221cba445e9809ae19a4d5578b2e866a17fcabf5f87209e1cbd579cd
1cfd1ee15585d71cf121994157428982803c412f974d56285b68fc2862ae162c
bebabe1677b3ae63e5f3034712b3bc39d354be9e1ea44a39c2ed16944b2449f9

https://regigoscoring.com/7b0oewe/32ffd39/
http://www.huzurunkalbi.net/wp-admin/0mh475/
http://terminal-heaven.com/2006/w51z87/
http://evamote.com/wp-content/l07bp8485/
https://tecnologiaoficial.com/wp-admin/br83/

Creation Time	2019-05-13 19:26:00	(Password Protected - Attachment Only - DOC Based - ENG - 365 Blue Box)
SHA256:
a50fdc671f504b725e5c54ca030fd31e1801ede2a707a5f3bc1b841f091838db
c413ec81ba6f7dba1cd9deb1c992ad3827fd5af72b09c0dc219d4d1539f34605

http://xycindustrial.com/wp-content/uploads/3oz5f80982/ 
http://arstudiorental.com/ecmyl/papkaa17/f8vhktx2825/
http://technosoftservicess.com/bhldyu/un96/
http://egresswindowsystems.com/magiczoomplus/vh8/
http://star-sport.com/lacc/8v0hb1639/

SHA256s for Epoch 1 Payload EXEs seen on 05/14/19


05b3ea03295f365020c0e855336b090a58e0474e0a6cdc3f7c427b93631f8945
41666821f448ab565de554326dfb66f1d0a6affbc29352e21be56dbc4a322d19
0f09f5653b5372954f94154e42cbd33f7ea6b98ca2abefec6da2a6a663b47a72
d18f5bad0ad568e4b7f7f224f81c153efad71866d81fbfba004137957c3ac029
28c2272a7b0c99e121c3574a9dcc686537630ae489ed57d6eb414dc4e2f4c28b
ae6298fc7795f15b13466cb47fd37fc74596b6941b2550f88cd0e204d26f202f
14897367d5800d26bab03d4724abc1888c0e822ab4592eae702a5a9b02683f13
e23d218df3f788c55426ba96af143c4751d2d75306049015108d62ed71bdb8e6
7b2cb6bbfd1f9cf8acd8a10b110a89ea60c916a34d6437346f77647a9209a360
bab6e0f09f3c04480a6964a6e2d4cbf34d05ba53fa4da359ba84b7427a00e922
3a594ce3945cb76f5893f28a3cf638dd0e6b94f27dbf7ecf0fb4c8fe98463a79
ecb9694a508b82da50a61b9ce885745c12d55106a365a7616e1905fb60bf3fef
03de36c4bb6c7da2541a955902d41182a1d82b209ed3f88962f724cf8ef69d86
a17955f7e95fb4397d5a804e58e68e5707504d307feccc1d7dea5e01510a28aa
1781901bb3fc4d805b66223db3f37421458540f3dcc17cf5961a6f7e375daef5
cd791a4f2eb1ffc1848e6f5c497e453e3e9e93dad4b65a63e489c0b9dc42d175
89505547ab0c070423689a861dbad454e54f006bb739c373d1898a319c73ab1e
cd0a333af320b169c4566ead7edc8b89f90ad115b7f42f4a9e7979346e74fcce
aa203f3ecb69bd059e4a4e98e1b44c8b330685c3955ba8436948407c003401f8
75d00fdb350e30164bb81e62dbbf795c53ae11431013c27cfaceb64b5b134b7d
e60e11b3a6efa4654004ae286bb9f6758055588acc74c7f0a6a3dd26899d380d
94c3d58a4c3c470306641f7bbcf5fddd1f30760a5447b9b449cb42d621f104f2
c589862f856efeba8c115e692bd9f3e269073c6f5df7d874c5bccef3dd041e39
0c4fbde85760eaac5785eea95277eb3648dbadc83a25cfdbc14eb32cdf32f829
22ca1a0a091a65656843c22fd2576ed89c99b3fc9c9432f9eb58732fa0859790
934dee37bd6c306a25773b8fab334787574317f41041574170746733e84d42ca
5d52b4d5b70492900a62526558520776d69bc4d56de15f65483e452eb5e7a961
735652c398769277507b84a3521f52070f20a4ddbc84753822a22b5aa4533e49
9c0950a86f40df4474e9c9186ad035ca28340ff88f4d353fa78e322347d6842e
f36e358dae2a0ca1e61276d9d08770405aa78a776960c6e7164a5f86d5b21efc
9898bcdbae0c11569d927e8226c2abfa678c413273f3f2a512c5abc453228814
488c67b8589298df399b7ac8a1a9fbdd195eddd759df28f0c10de919a538de02
c71f04fc507c37b51a0485b57756cfb461bae53bf3e323bdf773f1f7a7f8d7de
7e783123e549b4a0f6c621ffffe938bef33be3e8613d40e364b5ad9ddab3569d
c7df67b5983444a216c25e7d6d03098b91b0a2088a6ef948df6e21f9781d437e
ea016f60dfb480f0184e7a67baec0f3c030a152adab5a9be76f852e8b4484dc7
18c25727e7f1d707c93783de46efcd3355b339b2a5ea613c53d467b3f8f82304
65fad1b560893e5a1c304eca12ad8a524fd9811968f876331f5cb2495f7f1088
620bd3124473bb745333c239d4856b9e4fb54db3b9ca6cf1ab1149b4825ee38a
60bdff8f5a4dd4b8522f6ae386ce1126f4fcc432e298bff5ea86b87de8718c4e
1678b344f5d37332c8db3346e5749eadac5e0af1f272c4fcdfecc0cd8dda5b40
d1a20b349f1157b1ce269ce2d0d6e758b8cddd702bb82fab176b942c05e36f12
26a84185e3d786bb402345c086233e9c4bfad3ffd6fbe205c12f03759d4059ad
5bfa375c2d29e2396fb7d2384a5229bc4683305cc5c52b592584f5f94a396122
2315e2cd62984306f423df3d51f2e94b5b69760eb6ea9891451455a7ec14170c
555f6036f5752493b8466d5ebd4985b5e2f33a08f28fa0ef8b12957d8a0a565d
224013591ddc192efdb93d7c777ae3d7133d4fc56f356358e9e31cc7d87e70ca
f5ad0e50c53292c57f9955a8407f20e90b8f13c0f4859f66c6c71fc851fa2990
640c5bf10d68f24d7ea536433a50c442a299a5a4958e41aa4b5b20ddea8d9ada
623b3532f0cccc7219e36e7ed3dabb72018977c12004ffa4f337be185d0f9700
4e44c7f4a73410c62ba199d0f0f09a1e8d6b754d0b4855e86967ef613ac04e65
4e2d9130edb55f26520a7ad830f8f299e092d0c146ab6ae1b2bf9d60403e0f56
d1dd2d4f71dd14d9565ab32c4b2570df329dc3dcb686d9759aaf3d3125846920
6b911d5ac3038563d8f7dc43e98eed88c8f6901161299961e50c15fe38aab635
584fbbb9477ef0ac9962b5fc5886403b1e2d1a0b02acccecdf81f99efa98a6dd
5bdd802868794f77589404ca06763559dc88dbb76ec21261362dfb79eaa79f40
797f97538c2ed035c3d615bfc8f0a0e470c672bdbb050c01a4d377c5f18add8e
c48e44e54253d80374fb969b49f6bfccefa596c109597e92f447072684d5cb87
cd6c397cd6e62e2c3df8cdb1823c0f213a709db2ff98c0da30adc8797f682f7f
f5e4d458ae1f64d792e667431c1797c3c5cc65c0b75a6a724dd5772db935919b
b1ecc9402931c9e1ada9dbb1e30467ae849391483c24a1016afc050175c294b2
c3d30066eab732d54160c8c0c11efbe2d13b60d6d1b9a55252a36414209a4b17
aa9b3246db12d191940232a7baa3ecbfcf798172435365baaa0caf6c79aa68f4
238a1c4b8c9125165596ad7ba9709b19e6e5a5f6988ad57fce1972192c1db063
e03d4e18c225ee7ca21d9e8a626e51513782abe199f2f8ac00b14fb0eee614c4
61772c41fdb4548edf324ca243a2fc9bbcf4dcb92170ca814dadcc3a2d387d82
01a08ac28ccbf4a709932f0fd67103e28ee1ed013639d1d898505c894da3cbd9
3072145e9026b9ad0f5a5e7a5ec1f27ac3d020fed1bd88c6af6acb3d9207054b
8c95e51f18810d2fc31b681957c344c1f8731fa52075a96a1271734ff6c3b26f
a19d72ee169cd3c80c6f88b99ca9cad6ceb4afd60ae00369892b81cd27ec8758
8c9ae72f0cbbd50703d0b16130bf633e302d26d8e5147d1cc6c692aa09a8dbe9
ebb1cbb63e4a2b863531add797a94507c53dead208bcfceefd96a9d36c61f120
dec89a4d259ce8f43b7d5ca2dd7eb59f9693dfd70732fafde6018ea6f6399a37
d26b5f47422703dad2025b6c20e1fbbde116db0f48abe6620fa943fa83440400
76d5450a3c997cf8630ded4aa0a5823925105a90933aaba5fa9434488fd1d84c
17406fd4b781e12dd656a6f68d95c8fff7f1933b8f393780a5721d164345ebcc
d701d1af3464115952dae3b5697c0b666ea60de37dfd49df89c0cd156cfa38cd
ced621193ffde86660dbb0aa2dccdbea2f5d12d9e7551d20aad11365a90042da
71baf7c8d31b449cd5f5baa1aed2bd9ffead90d5da81347be961ffb18b6108a1
1321a56efd667e80a3b3830099ba4eab037fcba72ed610338e9622a02a001f0d
945f36bfe353c0c4c8af9b2b2eed8b6a78ef029078208c7088a20b84829b0b4f
ec40c03114bfb3731d2e0d2aab19a2181d1a31abbedf4936652efd1220bb8d98
0f3bfe967ce02dc7c4e489ecff8992b24525417344f32078376e0c1c986fb4c1
b575ba480a8eccbd851a7f3430c9975ba80af05b3b8ad94d8c5ec1d150fbf80b
5f1ead355baa2fe7f4a5616b31fbdb740c4e37ec799eebc0b843397a16c7b149
9917ed63cc81464ec54aba1614ddfb2c87bbf15610d4fc0118bd7204d01d3e54
5fc89a238d781eb024714935a3ec56ce505c3504ad323f89077a537bfcd8660d
31b37b38acb8488095d52a00a73037892413807a10de3148d0d3a2e522b2107c
9c84c77a8e203c269da2b5cf0caa1d3622b5d97d23ed521875e01204829aae32
5442e221da66b51a5483531d7f21c5ca6db296734ba3580ee6c665eaadc319fa
935bd8c61cd2295efe9fdcf7981370861623d79717227a19eb0053bc4428202b
24ef24c0e541736c73cdd69530786b3e428a9c713270c63e8c61e607f9b05360
33da6f20effdf6c373ea6e77bd57f588a68b7d89ad36c6127cf2f9f8d5b20fd5
ef2f162d4ae9fcec73fa0030de363405cc56ad6c8a80ede819678042a8bb1458
d5f0a1a730fc1b8f73b99aa6817fb89696d06382e981b5de61157a1c28f74509
8e874d41b6fb08776bd2770b6d6b11fc5818c5b21768ccd1d3a49fca2cec223e
43b9b4e4e073560f3ba4c3c8604da0c9c6ce0608498047d7a4a6c6ca52cc2f9f
e7ba29aceb8045704b2a98186eb81d86cef975f8593e8f71644b0fb3402edab5
db8ab6f4ef07827af3519c2e28a8683fe2934a5bb8ae79773a8a1a239a12f7d3
c636b7812cdd2053d1539b14965d89f386988d62f6aa883f73e58fa8768ac55a
ad4bf2260daa86337a8872dcb16a1b61cf8a4a96797cfb5c6e6e4f1f850c6272
7443ac9199bb877a0d182862f38f946f07dabbc5c666c48a5a837a750619b7df
e43953047e491a90835a1eaae6f292684fe84852231242a31c210ea0dc615115
a831a4fdcac8a471401b880059f34206d54e34fa0d54fd7481591264a5932e91
9376a4a0e41c5e0f12c32bdc9c5d5b8d13bfda606de26f832b5f8615bc765ff9
826427814daafe97cc6c90850b1638de2e6713368f3f10c62980e3aceb6ff502
6821bd66b0f2a17c8c984ac5c6ae7ffd17ef20e765bd8b29e0650463f74a504c
0f26aece79ffc1391a075d3ec4bf67602ad2a05d81ab7fdbe1140f428f31c775
a4219f684442fdaad3ca1289c3286cce878931d3402337c665ec828dce888a90

Epoch 2 Payloads by Document SHA256 - All Times UTC


Creation Time	2019-05-14 16:10:00	(Attachment Only - DOC Based - ENG - 365 Blue Box)
SHA256:
41743d480c3a97d8475eaa4958e46a6e9df7a3f25a034194b5ba57e43e664ed2
6719d9db1a6b6ac88a386c24cba086025aebc504773433dca6fb569cd88bf929
b0227e5477f2c043eef7f404c69eb02ffdfc15f99e973f12de0b86addf03d898
76cf785870fdb543f0e2b1e7fc610c97886a570cfde9f66b7dbe24e909e0344c
1583078312fe29c688d44c6c15a4ff2f303f6cfdc32e910629132515ae885a60
b2c7523bbcf91ea107010fa04635d5dadefae7a6302d31fe48fa978909682257

http://riversoftbd.com/wp-content/vFikaQjYg/
http://dayiogluun.com/wp-admin/DhMoxPrwC/
http://therattgang.com/wp-content/yos4u6h_pt8wdb-3/
http://beyazgarage.com/cgi-bin/NuygiMFoRC/
http://ksafety.it/awstats-icon/bhrdd5_52hq89-34/


Creation Time	2019-05-14 08:52:00	(DOC Based - ENG - 365 Blue Box)
SHA256:
adc07b7378fe4151f14b3b95e74c2672265af06b3defc0d178101a4f3b471ef0
7b24e6266c7a15da11ee8858bfd8bee5239e61321bbed785e7b59fb0e286a51d
55cf0049b654989882ca8020b572fabfab598173d6f95b66831a461770320935
9047c8429ed9cd6ec6c564952494bef62b39f647eaf418c0c61bc8d708d5f806
5f7df5ae858abc5f9143bef4fdb5dee06a82fac18181010b7c3ee40d2dab86d1
a5f234ffe4236cbcde90ef95db56e9ce0f2af4dec1a82d3e77cee501920ab4c4
28de789ced5a1db62ccda82fb878bd16127d8cc394c8e5d29195132805d7bfa6
1679dd3db93e293c95edb586e6d932cc54769a02edd0761104baad1ed8891adc
06cde6f0624e75401f93778a162243565d7b3ccd0035bac440222f6bec1ae90b
b230738c02d15b00e4c0d130f0525db4843c7164546c98efecec88ce9d02d904
6dfc0b213c2b9114b1f3bdb6fdd22ea839fea568c3e009c426a9d23714cc4459
da6e514f25462af15216e863333e4e2d328ce918169e373193cb573236d4277f
2937b17f1b6bfe747e90133fafe65da59b503f78c9ce84a288e177c4a26c2d87
b41990cb22aa0c188e2f554bb19f5c964670d3db64a8b5efc21ce908dbd7298e
79fdac8b8ca653a0c8e111568c80eaf7a38d3442b7f40726e106b9be4c49bd83
3329825c2172813eff6c2b628a6a3242cb65fde2bb483d94e513de5d2b42c412
3eddc6f302caa969ec96c25129c1c30c0b3291024bb3a822d85e8a5216b5a378
1c72d76332b9bac3f9e7c58eaabe2baa42d166b31a0b3fbbe6f326f7463fd0f3
9e976d5bdcae4e50924b90810dd7255b7a4eb628417c947060f1e08e8ae01ef5
ef38e075cbdaed0e95863558e92634b7fa29434b792c24f58357bac3b0b72331
6d3910ab176f90830155ef0e51d3fb3a0c02adf8e9722572812604d900db205d
012ae3cbcb08ad063dae6f61c5989efdaf8bef9374cd85ac67033724a7b35493
13f192a309637a86007d05308e01d86ea441b3f82e3fe3cf4f0211e0b29ba459
fc453bf2b437e194f0068004a58dccc68c58bea217aa03f8795153058eac1cb9
5865551c45ba7fa5fe4d91210d52e202cfcb283d095f4068de1b25bcf0fed341
a8362656f7ffd67014d238f97a6598263f4a19449714fd34cd4ce3a3c06ded10
b23666e8e3a88e7c584a5714c9c57f023a6f091ade23349a002616c39811f619
8d092f1d799b7cdfa8cd2a35ae350a31d9bc519eb7ad133728afbf1244e624d8
8b2f2a89e07519ede5e53fa1501fd7555f56762a50cb409ceafd1c5ea508ddc6
fdf0b89876c1960af5e14f563144afd9aec7e43b7cdb7c2f3c125e7460a3ca70
46c6a318203f47e262dce8f6305af0ead6a8d65fde6f875a55ea7715f79c8b0a
2c9f122d5878f5bbc1cd3dfbc554148fe975e94821b2aec857252e5f445bd5bc
4008b7f97a2feab5c8eb19b490e18aef8cbc52307f285b8e999c4c2038763839
683399ef7bebef73259f00a0d9cc1b564bfa7b167cfae83a9f70363b489299b9
a449bb74a723db8ca33e09bcea613e6aae370a4722e2f03387945aa9c91fb21e
8185a3c6bd0396d6db4871f2490a38f8c4839f6f4819d9cc3b49ece842bcd273
e869e1d95a21962f7e6e79e06752d9adcc8976de3c8991af8e645b2bbd139cf8
5e5997cba36266aca42852376e651d017f59badc3484d5d64eef66970bd4fd67
894005342c01da06b240c3b9fd27c23fe641c86a62733945142b53c2e92142af
86c8a2919b2def71408e6e244500044d96fea7188995fe654364ca221b008873
9558d463a7f0f0fff8c41640bf1ad1b810a09c52ae6fb183c759a2a81da660f6
56b9f6c0b0e06a06a9f25519343accdb00776206015feebbd8f2c7c2d35961f6
782aaa0063c02912db06d46780f6d95c60433aba4933874f5084287c8960a44d
130fa99c6112e4b60f5fecc8c59809f5386b341cdd7a1b06fb34688cfb4fa9f7
30b48ab4968bfb49a8141a9a954ced07ec56e454c9e5dab21357fa33a4e0f2ef
dffc12f027a086c7824c1beeb5fc952c5fa6cc1dbf1217c6837471fa98ced0c9
da81949e8612caf52635b73cde3d730d4fadc63bb05bf073106f79b2153877e9
88ba8a7379555c9201d1dde934f2fd7e4b64eb20307aa0ec231a8e6b6779c8a0
0254c5fadf9e3ae658b1c4b8f25bd4e8007cbf92083d9d00371659e21371a15c
ff42488751f31e94afae338c095aacf8cf2c997d79e8d39e38bf0e8713d04d17

https://ksicardo.com/travel/ntKWzIyDl/
http://iamzb.com/aspnet_client/system_web/GAAfRZMq/
http://maloninc.com/apps/GbBZomQjS/
http://kumakun.com/7jet/3b244672ze_btumnc0h-2178896/
https://ingegneriadelweb.com/fantacalcio/8611ljoo_o4y023w-3754704371/

Creation Time	2019-05-13 19:33:00	(DOC Based - ENG - 365 Blue Box)
SHA256:
6e27b70e10089e9b815f7eab1b80e637e40733060f22a20e6b010b25287122ac
8f4a02c8a1ecbf0131226b34c9d39f5dcb5ef92663e8dc40f4b49392d606e4a8
19a798b57c3470bf1d7de42ca5ca6bccc6e55974ce6e63625a5e4b681c440abd
5c4496cdd3ee86af8935d9e1f64e6337c732741df7824571cf15e426f7913923
a2c86ee442e6189003747b161dcc36c2c569a74d96f0cc68e9150bbccefde54c
a7292870d07de0b4afc626e495e40af4daac91c7e19b36a7a783572f26b35662
efff06ca2c68747883b27ae3102b91edfccbb147f2817543219039446648404a
95b76cb37e2e3caa0e07f01c9aab219e128ea4ac3cab80aa48e9fc2733713343
baac5eeb90873f5781c9ecc9143537bd287a609e4dd9ce36b697e8fd1976b288
9cea1907b55f879861052c85d3db81e017c00adc2517d740c291b8d0316e6b43
3b33502eee805abdf772cff17265066d740c3f6c01d837510f58cb2e433ff5e6
cee6e8328110a0ba748a787b78d8eebed99ed183922003aa96a7ef7e235f306c
2b516c0d16970d0faa9e74f763ee14724579e15690dc06658835e0e5f5d462d2
a6cbf7c7f99de821b80884eb5076ff48e730075ac5d9c331eca9d0482e9085fd
b583ba4c5790fa703f047ee77bb5562c7ba09d4ea3845ebc1d0225173dbecf0e
0028a8ec6e89822bc3faa5e797caf836c057153d3f019d590741060716a55343
b0ba02974163d321b58322351c6ff306db87c9e1ce45a68e7558efc2f8303b82
2ee3c7107a9831e1b1d90d57365700c94ab4033e6515890204c82203e25c7808
652083730ca6c0f32527b1b7b14f69100e45229c016722bef50904c801e48de3
8813cd8261963dcbca65371321507b6502aa57883cd91ec4dfe8c5fe17e48076
7346090ed235d35e6a640f62b67cb02cfbd272a4a73ac4352bacd21e4f1c49e7
b311c5c0a459527071166668752e087223a3e5ca6a8c8319ec6ddb0f8ebb110e
f69b477c18524ba73acae4f93ae321077aed3645fd473eaf75cef1314dfd887f
492db6ac548104b627ee2881120eae5538f20e1db315e718e3b25de35f5f1bf6
1595c376a6dbe775478a9595ad780829572095d3264e2ad8dd6e9710f9a18522
fee909ec35382c82297015f542c7975ae152623fd04b05a73f81266d44f817fd
9f5351f25afca434053ad6ff7799422a3f59a83f09982e32a20048730fd0b5f4
3d024e0f7324646bdc397d5c2192820e2f73594afc77f3c509b8809d2a0c64f7
c0bd36b56a67c1be19e874287405076cdfca640755c790effe994b4de370abd7

http://durganamkeen.com/wp-admin/DgUwPMst/
http://gfpar.es/blogs/1y3p64_jyelzm-160135920/
http://yourplasteringneedscovered.co.uk/bfrye/eeURJGsK/
http://ladiesbazar.in/wp-includes/74yc005bti_pui2akdp-19152074/
http://engraced.org/wp-content/lwUhCxRzO/

SHA256s for Epoch 2 Payload EXEs seen on 05/14/19


12ba09d1fb95a170e4fdcb28f1dc36882d2cb47e4a6d8219899abdc2005db6d4
844e3b338abefbf6b7e29f5947373616248b3548dee938add767eebc57feaeba
71dd8c35448fa4d479a2a4ab4582fe7b95e9be7517bc5d049d10bb79b26a45ea
48ba07ad9bc1d4fbd127aa05bbc31ce676cbaa1e9536fad1ac5a5a23ba56e92b
e3a780e3d802985680f6fd3a55f23cf702e648f01703590b1fc36c569ccf0efb
6587daf0291733c40cf423a3bc3131d7c7cb1311f775c253ca9dc545696d5bb5
149b09256beb53d487a30bebde8041ab7cdd07e2079f27347f4474830ae9d570
f9309e01e9f44c9f4489d6e32dd566aaec0b16c3a47fdd73a4d9735ef9f3393c
8f8d610d75b7b3abfd6d5b5d0e9ec8785278d1bb326069ada1e8c225728066bb
cdd90236b1a620a20ca9c5d6a1d7bb2bfb292909c1c9f8ee011a417c95696607
bf581fd18175d78372221710ec018d58bb5684ca944f5f349f99208f3ee18069
72514d40414d67778a1db0ed0728cdaf96e184efad9ca17e54ffa54a266fdb6a
b07344da69b6ea79fd98857d63deec5621af9ac3156114483f56c8a5b685a338
225144deccd766edc86cf3179c6322fabc9cd7f25b041f890f68369e7a54bf8c
7a779f61463a1d0934d08ddfc32d01b25765ddbd1e3224cb1f079bc5eb296dbe
a35b999ea8bb3f2388c451038ebdb66ef75ae727dd11ab76ea4da3894b488faa
d53ef82460891e82797bed0238bb2d2cf8c5c59eb22478a89a962088f5ae6d46
815b89175dd08f44b3221615fc4e2335b2d69b84918227e295416e5fcb51d339
fe9dd516cecd08e8a4897d931c4a7390a10ad8c6d5c69c1da92a33759d12ff39
bd47f14b2c97c3788f13151d31635fdd5566ab7d28cdd2b2f7fdef8aa79d7412
032d413b9730126652b3a54dde7d678f6cbafe0c5cb3eb34ec2d6a26cc758ad0
9896b12c9f600d7ce0539fe0c1c349c8ccc27348a660c47e2b1c7f0d4f28edc5
ab19a3f49874e6e22cafb32109c1bb4f0db7ca30a4915208eeaa06cc1eefb7dc
8040fdac7658e32cddc10dfe11a41eb8971f2a81c5d93ffe38dd6d10c6d35522
6e0996716266ea7f3f1393b1312ebae59ceb7d5651341c1373b2df8170e131e2
70bb34a07411cc0fb2e2fa47602fffcae8c95dad29a0f6a12a80678329530d04
38bc02b8c5b2e76e078761f4486ba3dc2371f872e0accc84dcb3a17d7553049e
909028f4cbe20e7d81766a68958d0fef790ec93b8711fbfa0efab758e746fb7d
90d6fb5cc45de8e9d8c7bc5beba8bc2e8ede8534e576ce62257afb12c4c63b7b
1753ecfb8d03b10f506dcfbefa6affcf6005d4cbfcba8dc3903ae1e255351685
05bbf3dd528dc06c799c7927a3bb08c9e3a7c3cd9224fadf977bc2b73d14d490
c84972e44644080020f759810ecd9e5a89b054a56c1fa467428e191bb3ab384e
721321e28130d044aec2707aacd418012e5de076fa873703d2b6590b49662408
f545243f54520ad479fbbf3df81ea31d234af8b5d4452630391a50815c53bbea
2627543419e2229e2b3445e4530e270c60b4c7b0b1882757a18a5f729ee62889
9f43f2b9ee39a45441da9d79a3b65181a0f41ac8e41d169e0319dd7b4248f11e
3b3287168df97138f14535be0a2aa02713ecbfbd9c7c7212bc78745db9d5506d
1604da70f172c249833b7340dae1ab65260bcf030ee395771218879b77ddf795
2cfee248366aad28ae55a0941323e3e776e732ef39f4b0b83a3a97346715aa96
56038022d89df874a7a3158328b1a2b522b361cb6f028e1b03f3eda1e2b17f88
22c03476b6bf0e03401d4e7fc828094b818c35b4c6e1ee590ba4bebc67aa2867
8d18b7e934012b180d29a0f44992fdc06c6ba8211c0e2fc5ddb6502fa2ba9fc9
0419ee7cb7a16c933b342316b8f7466ca8d73e0726c45714efaad863dd92f885
3b3864df5ad2cda0c14e777e060562202d0dc5d08b1898ff8fe86c458f004ee9
f54696e1f1d761753264c1933ba53e7e36406ffa27c6899067f0ec7ae547a8a5
31758ac1b7f83b3d13e789ccde6bf2117ab4f52a7c5a98b144ed94632f587c15
54b169f7707ff536936c45bf3c9abe7606c78551294d16200a69b7e637d07140
ae7af441861976958fe9fec0343bc39776ec77e5175693d35ec7255f01fe1df4
366d67bc2a490d6e175d34316fe0bdeb95cf48361bd9f3d0700e318f522bfdbe
ef57ee54a47e95767e58d68c51e04ecd9c52363b30441b332c9379d8a1acb694
2c0af79fbdc7bcf7be1cb772dfa71be27a2d8cb08de4963aa75260b650932e27
23c648e1c1d033278a39803d56bb02dc63674f8edb41fc91d1bb1523f05725d7
cec6c7c955c38a91ef3a85b1093fe1de9cbfea76c164e47549abd0b8318a7352
b7fae94d926f1e80f9f08897132764ae0cc60818deae7b66e51a5cad08079fbd
d608f1ac7e5c1b4f2f24e7865bcf8e6bd0ba2253f6f4b1e011f150874a7779ae
9daab6c73353614a093316a5d3a6f8fedf49e6f09c902c2a9eb8ebc2421fd073
f5c90a7ffaadc644d8879c1f5cd226b01d03dca7ab1d25daaa506d790e6f0806
b7d6abf5e0ac9854e6cc338ba32df844c21cc0265950d7ce8b13be55bc27028a
ef1cf8c9b4c3b9b1ec5720101c9968c257ee0aef892f120b5e7ea55e88252bbb
4095cb4d46154c6ec4d8c70d02914cb8df6ca646df01c85a00f5f5cba1bb5666
f4fa4fad684e10e5f4d016134c73eeec9559278da0cea59cb6bc1e8f8ec9953e
4f07207894325e1073a2c6386d15123f5f0a060226f7ee562596e32c5e4d6df7

Epoch 1 C2s


103.201.150.209:80
103.213.212.42:443
105.224.171.102:80
109.104.79.48:8080
109.73.52.242:8080
111.67.12.221:8080
163.18.23.242:80
175.107.200.27:443
181.110.239.26:80
181.143.101.18:8080
181.15.243.22:80
181.16.127.226:443
181.199.151.19:80
181.29.101.13:80
181.30.126.66:80
181.39.134.122:80
185.129.93.140:80
185.86.148.222:8080
185.94.252.27:443
186.121.223.131:80
186.139.160.193:8080
187.178.9.19:20
187.188.166.192:80
187.242.204.142:80
189.196.140.187:80
190.117.206.153:443
190.123.35.82:50000
190.13.211.174:21
190.147.116.32:21
190.180.52.146:20
190.85.206.228:80
191.112.58.204:443
191.97.116.232:443
192.155.90.90:7080
196.6.112.70:443
200.107.105.16:465
200.127.0.8:80
200.28.131.215:443
200.45.57.96:143
200.58.171.51:80
200.59.189.217:80
201.217.67.3:80
201.251.229.37:80
203.25.159.3:8080
205.186.154.130:80
213.172.88.13:80
216.98.148.136:4143
217.199.175.216:8080
217.92.171.167:53
218.161.88.253:8080
219.94.254.93:8080
23.254.203.51:8080
37.59.1.74:8080
43.229.62.186:8080
45.73.124.235:8080
51.255.50.164:8080
62.75.143.100:7080
64.87.26.16:443
66.209.69.165:443
69.163.33.82:8080
72.47.248.48:8080
79.143.182.254:8080
81.183.213.36:80
81.3.6.78:7080
82.226.163.9:80
85.132.96.242:80
89.134.144.41:8080
91.205.215.57:7080
91.83.93.124:7080


Epoch 1 - Spam/Stealer C2s

	
61.92.159.208:8080
104.236.185.25:8080
50.116.63.9:7080

Current Epoch 1 RSA Public Key



MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAL9KRKWqcld40xbUZ6hRh+fPNkgJe7K+ 0y1rR0UFqc2SBmnyoR/2Ctd+8MRvU8zri2eNVkVBxCUH1Cthf3AEgRqY2kGva8gJ Wcqls3j7RztZzqFoL+wM9DNnz/OWuiyPAQIDAQAB

Epoch 2 C2s


103.255.150.84:80
103.53.44.20:80
105.247.109.117:993
119.155.153.14:21
133.242.156.30:7080
134.196.53.52:7080
136.243.177.26:8080
138.201.140.110:8080
147.135.210.39:8080
149.167.86.174:990
149.255.56.242:8080
162.243.125.212:8080
167.114.210.191:8080
169.239.182.217:8080
173.255.196.209:8080
174.93.130.148:8443
175.100.138.82:22
177.230.108.144:22
177.242.202.30:8080
177.242.214.30:80
177.246.193.139:20
178.152.78.149:20
178.62.37.188:443
178.79.161.166:443
179.14.2.75:21
182.176.132.213:8090
182.188.47.206:990
183.82.100.135:80
183.82.110.170:53
186.113.19.171:80
186.19.202.88:21
186.31.189.232:143
186.4.167.166:80
186.4.234.27:443
187.189.195.208:8443
189.209.217.49:80
190.112.228.47:443
190.145.67.134:8090
190.25.255.98:443
190.25.255.98:80
190.53.135.159:21
190.72.136.214:465
198.57.223.7:8080
2.50.4.159:443
2.50.52.255:20
200.21.90.6:80
200.85.46.122:80
201.199.89.223:8443
201.220.152.101:80
201.231.44.78:80
201.238.152.20:465
211.248.17.209:443
211.63.71.72:8080
213.14.166.152:990
216.98.148.156:8080
217.13.106.160:7080
222.214.218.136:4143
24.139.205.186:8080
41.169.20.147:143
41.184.246.205:53
41.220.119.246:80
45.123.3.54:443
45.33.49.124:443
46.100.165.6:53
50.31.0.160:8080
50.99.132.7:465
58.9.168.7:443
58.9.168.7:990
59.103.164.174:80
62.75.187.192:8080
64.13.225.150:8080
66.84.11.168:8080
68.52.43.253:80
69.45.19.145:8080
77.56.253.112:80
78.186.5.109:443
78.189.173.217:143
84.241.10.111:53
85.104.59.244:20
86.122.149.86:8080
87.106.139.101:8080
88.198.62.227:8080
88.21.212.13:8080
91.205.215.66:8080
92.154.101.154:50000
94.59.49.76:995
94.76.200.114:8080
95.128.43.213:8080
98.142.208.27:443
98.144.73.193:80


Epoch 2 - Spam/Stealer C2s


198.58.114.91:4143
213.136.86.219:7080
91.205.215.10:7080

Current Epoch 2 RSA Public Key


MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMPLgcO0RQdJg/LTgiku57nH4KcLwHCx S0lbynOUhHhKjTnmENrMA2idUbK6hI0JRZtii9oJSlb3e5NZiCK+Qr/NB2u7ZNRc hG87aibm0ndS9xKDRXcmWwaQkF0PFuOHpwIDAQAB

Credits and Notes Section


WARNING - Some links may have been taken down shortly after I reported them to URLHaus.abuse.ch because they rock and report everything to ISPs as it
is confirmed to be malware. Additionally, this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
https://pastebin.com/u/jroosen
 
NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
I am providing them for your benefit in case you want to parse them to be sure.

What is Epoch 1 and Epoch 2?


What is Epoch 1 and Epoch 2? (updated 03/07/2019)

I have been tracking Epoch 1 and Epoch 2 since May of 2018. I called them Epoch 1 and Epoch 2 because they followed a different timescale of
payload updates and history. In short, Epoch 1 and 2 are two botnets with distinct C2 infrastructures with separate RSA keys for communications. 
Epoch 1 is currently the larger of the two botnets(MAR 2019) and I think it is the main push of Emotet currently. Epoch 1 WAS a smaller more 
rapidly changing version of Emotet at one point in the last half of 2018. Now Epoch 2 seems to be the smaller of the two since this time period.
This seems to change back and forth over a 6 month period. Despite having unique unshared C2 infrastructures, these two botnets have been seen 
to move bots from one to the other and show similar behaviors seemingly controlled by a single entity/group. E.g. going on breaks at the same 
time period. 
Here are some observations I have noted since I have been watching these botnets:

- Checking a document download site from Epoch 1 will deliver a document that is different than what is being delivered at the same time on an
Epoch 2 document download site. Specifically, Maldocs on Epoch 1 will have a different document creation times and payload quintets than those 
being delivered in maldocs on Epoch 2 at any one time.
- Document hashes change very 10 minutes on both Epochs while distribution/spamming are active.
- Document download and payload URLs tend to become orphaned as templates are changed out and they age. By 72 hours most are no longer updating.
- On Monday's of every week a new set of document download sites and usually templates to accompany them are generated early on 
Monday morning/Sunday night.
- Both Epoch's may share a host for binaries or documents but NEVER the same directory. Eg. Epoch 1 may have an EXE in directory host.tld/A and
Epoch 2 may have a document hosted on host.tld/B.
- The RSA keys will change every few months so for C2 communications on each Epoch/Botnet.
- Binaries for Epoch 1 payload sites are different than the binaries for Epoch 2 payload sites.
*- Binaries used to change hashes every 15 minutes to 2 hours but now (3/6/19) are changing every 5 minutes on distro.
- Each binary has a hard coded list of C2 sites unique to the Epoch it was derived from.
- C2s are never shared between Epochs/Botnets.
- Both Epoch 1 and 2 seem to go into "break" periods at the same time for several weeks. During this time binaries are updated every 2-4 hours
via C2 to stay ahead of AV defs.
- Spamming activity seems to cease on each botnet at around 00:00UTC each day. It usually starts back up around 07:00-08:00UTC each day.
- Spamming usually does not occur on weekends and the Emotet team seems to take weekends off.
- The easiest way to tell what botnet a sample is from, is to find the payload and then check the C2s/RSA Key. HINT - CAPE Sandbox makes this 
easy now, use it! Thanks to Kevin @CapeSandbox and @pollo290987!
- Changes in behavior are often deployed to one botnet and then to the other as if the first was a test. This has been observed for obfuscation,
spam template, word template, document type and even payload.

If I think of anything else to add or if anyone else has any suggestions, I will add them here.

Community Lists


https://pastebin.com/6Mus5st4 - @lazyactivist192

Credits

(OC from @JRoosen and/or combination work of the following)

Doc DL URLs - @James_inthe_box, @unixronin, @abuse_ch, @JayTHL @dms1899, @avman1995, @pancak3lullz, @pollo290987, @malware_traffic, 
@0xtadavie, @Bitterman59, @devnullnoop, @Bauldini, @baberpervez2, @executemalware, @jcarndt, @gorimpthon, @Racco42, @papa_anniekey,
@Jan0fficial, @shotgunner101, @HerbieZimmerman, @Outkast_TI, @ps66uk

C2 info/RSA Keys - @unixronin, @CapeSandbox, @sysopfb, @pollo290987, @MalwareTechBlog, @ps66uk, @JayTHL, @malware_traffic, @0xtadavie,
@devnullnoop, @gorimpthon, @Racco42, @Jan0fficial, @lazyactivist192

Payloads - @bigmacjpg, @decalage2, @James_inthe_box, @MalwareTechBlog, @ps66uk, @dms1899, @avman1995, @unixronin, @pancak3lullz,
@pollo290987, @malware_traffic, @JayTHL, @Bitterman59, @devnullnoop, @executemalware, @Bauldini, @jcarndt, @gorimpthon, @Racco42,
@papa_anniekey, @Jan0fficial, @OguzhanTopgul, @HerbieZimmerman, @lazyactivist192, @TrendMicro

Spam Templates - @0xtadavie, @SaurabhSha15, @devnullnoop, @raashidbhatt 

Special thanks to @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and 
helping out with this!

Very special thanks to @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project https://github.com/decalage2/ViperMonkey , 
@digitalocean, @mploessel, @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch, 
@urlscanio, @TrendMicro and @Virustotal for providing services/software no charge to this cause!

Daily Log 05-14-19


General News: 

Both botnets went into full attachment mode today and only very select reply-chain spam was being delivered. Most of the reports of
Emotet spam that I saw today ended up being delayed sends or Ursnif. It seems like based on the name of the documents I am seeing
that most of the reply chain malspam is targeting Germany. A lot of us our speculating that we may be entering into a period of 
low spam volume or a break. Maybe Ivan is taking what I said to heart and giving up. :) We can only hope.

In other news:

Really not much to report today. Most of us saw nothing or very little like delayed sends. Good example is this post from @ps66uk:
https://twitter.com/ps66uk/status/1128413508780134400

@JayTHL had a nice summary of our data from last night:

https://twitter.com/JayTHL/status/1128182107979898880


REVIEW:
If you didn't already see it, there is a very simple way to defang these ZIP/JS attachments or links. Just change the Explorer association
to open .JS files via Notepad.exe. You can follow my instruction here in this Any.Run:
https://app.any.run/tasks/81503633-0f95-48d4-bd80-c83ec5c2b763
or you can do this via GPO. Here is a nice writeup on this process: https://montour.co/2016/09/group-policy-force-js-files/
I recommend you do this because .JS malware is very 2016 or even earlier and most users never need to run .JS or .JSE for that matter.
You can likely throw other extensions into the same configuration and @JayTHL had a nice thread discussing this here:
https://twitter.com/JayTHL/status/1126204098670411779

Email Template Report:

My assumptions are that most of the malspam being sent today was targeting Germany based on the German file names. I also suspect
that all of the malspam was low volume reply-chain attachment type malspam. Unfortunately I don't have any examples to share. 
If anyone wants to share anything they are getting, reach out.

Review:
What we know about the threaded templates/reply chain:(changes are marked with *)

- Emails are sourced from once (or still) compromised users all over the world.
*- Emotet injects a reply into a real email conversation thread between the compromised party and another party that replied
to the compromised party on or before Nov 2018 until at least March 2019. (may be up to present) Also have seen emails going
back as far as June 2018.
- Now on E1 and E2.
- Now seeing German based templates that are essentially the same thing but in German.
- The injected reply is usually prefaced with the following: 
"Attached is your confidential docs."
"Attached please find the wire transfer form."
"Thank you for your help. Please see the attached."
"Load instructions attached"
"A printer friendly attachment is now included with each email."
"Click on the attachment to open or save the printer friendly version of your report."
- Both attached and link based delivery of the maldocs/ZIP/JS have been observed.
- Attachments seem to be in the filename format of *_Month_DD_YYYY.doc/js so far.
- The link is customized for the display text of the link to show the real domain of the spoofed organization.
- These templates are pretty limited in run and not very numerous. 

Link Regex Report:

Regex directory patterns - Nothing new to report as we going to all attachments it seems.

E1
https?:\/\/.+?\/([DdeEnNsSuU_]{2,5})\/(ACH|Attachments|Clients|Clients_information|Clients_Messages|Clients_transactions|Details|Documents|Information|Messages|Payments|Transactions|Transactions-details|Transaction_details)\/([0-9\-_]){5,7}\/
https?:\/\/.+?\/([A-Za-z0-9]{4,5})-([A-Za-z0-9]{14,16})_([A-Za-z0-9]{8,9})-([A-Za-z0-9]{2,3})\/
https?:\/\/.+?\/(trust(ed)?|sec|verif|public|secure|open|verif_seg)\.([DdEeGgNn]{2,3})?\.?(logged|signed|accounts|myacc|sign|anyone|myaccount|accs)\.(resourses|docs?|open_res|send|office|rep|public|sent)\.?(net|com|sec|biz)?\/

E2 
https?:\/\/.+?\/([A-Za-z0-9]{4,30})_([a-z0-9]{5,10})-([0-9]{8,15})\/
https?:\/\/.+?\/(administrator|assets|blogs|cache|cgi-bin|css|demo|direc|Document|DOC|esp|FILE|homepage|images|INC|js|LLC|lm|paclm|Pages|parts_service|phpmyadmin|public|Scan|sites|test|themes|uploads|wordpress|WP2|wp-admin|wp-content|wp-includes)\/([A-Za-z0-9]{7,32})\/(\"|\n)
https?:\/\/.+?\/([a-z0-9]{4,7})-([a-z0-9]{5,7})-([a-z0-9]{4,7})\/

NOTE: If you get a lot of false positives, try adding (\"|\n) at the end of some of these after the last \/

These Regex patterns are to be used experimentally and at your own risk but they caught 95%+ of what I saw in link malspam. 

Payloads Report:

Stage 2 docs are all being delivered by attachment it seems as of mid afternoon today. E1 has been attachments this week 
and E2 went to attachments this afternoon. There also seems to be only 2 quintets that were in play on each botnet
today. This is further reason to believe a break is likely because this has happened in the past near the end of long run
of spamming. It is almost as if they have some garbage left over to use up and just throw the last 2 bundles or 1 bundles out
before putting it on auto-pilot.

Seeing a newish hybrid of the loader being tried on distro for E2 today after both E1 and E2 were back on the old V1 loader
yesterday. James Quinn (@lazyactivist192) and I are calling it V4 as it differs from the previous v2/3 tests of late.
James thinks, "Yeah it's definitely v4 as it takes elements from V2 and v3" of the new loader. 
This one is not hash busting stilland just comes in 1-3 hashes and sits for hours (usually 10-12) with the same hash on Distro
and C2. They must be having problems with hashbusting or  they are testing still.

C2 Report: C2 Combos are slowly falling now on the E2 botnet after reaching a record 95 combos over the weekend.
C2 combos on E1 are slowly increasing. 

C2s DID change for E1 and increased from 61 to 69 combos in total. - recorded above
C2s DID change for E2 and decreased from 92 to 90 combos in total. - recorded above

Closing:

Well, a lot of signs are pointing to a break and we are due for one but Ivan has fooled me several times before with this.
It could just be some testing of some new features/code that kept them from hitting the spam button hard today. We will
see what tomrrow brings.

TT

Sandbox 05/14/19

(all with fakenet and MITM unless spam/secondary infection)


Epoch 1 C2 run on 2019-05-15 at 02:00 UTC - https://cape.contextis.com/analysis/73848/


Epoch 2 C2 run on 2019-05-15 at 02:45 UTC - Courtesy of @lazyactivist192 https://pastebin.com/6Mus5st4