Emotet Malware Document links/IOCs for 05/16/19 as of 05/16/19 23:59 EDT
Notes and Credits now at the bottom Follow us on twitter @cryptolaemus1 for more updates.
Epoch 1 Document/Downloader links seen for 05/16/19
http://adamjaneomir.kz/old/verification_area/net/ENG_US/myacc/sent/
http://blog.meditacaosempre.com/wp-includes/open_network/com/ENG_US/accounts/new_resourses/
http://callsmaster.com/azureink.co.uk/sec_zone/US/sign/com/open_docs/
http://eidriyadh.com/cgi-bin/trusted_network/seg/ENG_US/myacc/send_files/
http://hitotose.org/public_segment/com/Eng/logged/new_resourses/
http://ihax.site/generall/secure_zone/ENG/sign/biz/open_docs/
http://lettingagents.ie/wp-content/open_network/sec/ENG/anyone/office/
http://montrio.co.za/wp-admin/public_segment/biz/EN/logged/sent/
http://mrtrouble.com.tw/wp-content/trusted_network/seg/EN/anyone/open_resourse/
http://myschool-eg.000webhostapp.com/wp-admin/public_segment/com/US/signed/sent/
http://neurolat.id/wp_orig/trusted_network/com/ENG_US/sign/sent/
http://shvedshop.ru/tovlsk3kd/public_segment/seg/Eng/myacc/office/
http://sosyalfenomen.xyz/wp-admin/sec_zone/sec/en/logged/user_documents/
http://weboyun.site/wp-includes/secure_zone/ver/ENG/logged/public_data/
http://wordpress-269961-838458.cloudwaysapps.com/wp-includes/ncaa61/
http://yoloaccessories.co.za/ukhz0yw/trusted_network/ver/US/anyone/new_resourses/
https://adamjaneomir.kz/old/verification_area/net/ENG_US/myacc/sent/
https://thezebra.biz/wp-content/secure_zone/sec/US/logged/office/
Epoch 2 Document/Downloader links seen for 05/16/19
http://130belowcryo.com/wp-content/fvnikscm3o_jpxvsmwt1l-981571726/
http://1roof.ltd.uk/creationmaintenance.co.uk/PLIK/0b7yzogc9ssofb8efy4o2otyua0o8_769kqe-314850535719656/
http://37p.jp/PLIK/ABmcygtH/
http://4you.by/wp-content/parts_service/JJUzdjDJMh/
http://actyouth.eu/images/esp/i2b08crtzw5cemgb_c9lnt9-19555073384/
http://adepterssolutions.in/news-admin/sites/KwMonjtPbhHoTi/
http://akaprintdesign.de/wp-content/zojdg93o_xynmmr45kk-00422649/
http://allhealthylifestyles.com/9yng/lm/isd8j0bsmhi53u3lxao5_bhas06a-10817970098761/
http://allinonetools.club/application/ximd7u7nigxu9r_kc6bgdfo-958450195888/
http://almasoodi.com.pk/almasoodi/Pages/FYFfLurBAReNMWhHjmNpbdk/
http://alvaactivewear.com/wp-admin/sites/oPXPxcXaP/
http://anizoo.site/wp-admin/INC/RJlIOVWEoAjmvQmKDHCz/
http://anja.nu/FNNjSOdy/
http://anneko.co/wp-content/uploads/FILE/LmqEqXsotInlolSAhofuLmloHMFcv/
http://apps-phone.ru/jutorje32/DOC/JbTiJsOuYLfycnAcnNlAVftM/
http://apptecsa.com/phpMyAdmin-4.7.2/Dok/asbgcruv4k6haf567dfcwtekrl_e6601rvc9-9233947367573/
http://armpremium.ru/wp-content/zimmfsnar1mmbkqgw3lywr3hay_4tz27aj-944046501916/
http://aseanarmy.mil.id/adminos/lm/AHFYbndZNarqnjoX/
http://assia.be/cgi-bin/INC/ghUlZrdTtrHRYcREjlljOCrLM/
http://ayashige.sakura.ne.jp/CGI/INC/l66nxpe9j_i5idhzxbj4-17570585088/
http://ayrconsulting.com/ssfm/b5kpfyr4brv5ulcvzrj4x4p_1ofz2gukj-441557287873828/
http://bariloja.cf/wp-includes/DOK/u64cootnzedlueyyst5y94_ll2jkxhz9f-74475965040/
http://basswoodman.com/janahenry.com/INC/gw9y5bij19cs7fk8_w7z306-48284886/
http://bat.archi/wp-admin/lm/bw0n1svwvd8shr5yf1uy546xj6s0e_za6ahbfsa-93869808191/
http://bdtips.xyz/wp-includes/INC/KVZWqNkLvingKt/
http://beau-den.mrcloudapps.com/cgi-bin/sites/k9i5flfy09jn2_u8dj2-68720464/
http://beenet.ir/wp-admin/Dok/RcYBXGZBCaSsReYhmJhMFEj/
http://berryandlamberts.co.uk/wp-content/lm/rKQbWerWVLWuUvoiKdTsyYaf/
http://bestwellplastic.com/wp-content/Dok/iav83v73v8m4ezu5eepquatv_hayo2-11638833/
http://bey12.com/sircuss/Document/weSFwOcnrd/
http://biederman.net/clients/DOK/dc9v71bcybeh9bmdsqw1y4a6xq_veb2196wtl-65827335/
http://bigdev.top/wp-content/Scan/CiSVqtexOXHqccnPRHVrFZulugyjNJ/
http://bim-atc.kz/picture_library/Scan/TusXOGxhowSvSgZPnoXBTmnD/
http://bimeirann.ir/cgi-bin/lm/zep2i1tfx9606nz9zmc_01n5iwx9hz-96231646376136/
http://blog.instacart-clone.com/wp-includes/SimplePie/parts_service/uatoqujs7s7ediuaxvs5cuqm_ddt16mxu-564056354031/
http://blog.vdiec.com/wp-admin/INC/nzdpfqq4n5heq4tqyqtb309jz5wsp_gvx0ok-68900526928509/
http://blogs.ct.utfpr.edu.br/mansano/FILE/oHGsFrZhNkGrfNgnF/
http://bluestag.co.in/wp-content/Document/ei8b4ogccm21_j0o9skc-45698780357431/
http://bookipi.net/cgi-bin/parts_service/VSvJSSSRemqMcXTcXFMkCHm/
http://brandsecret.net/esp/oqmGxiXXZfhwyKzPjVntdkXIiUKqO/
http://buenoschollos.es/wp-admin/Pages/2cudm68w7lue6xxd32woevdmpa_1mmc3j9o-3719672984/
http://canetafixa.com.br/wp-includes/DOC/TayOTpSUibJMGVhWPLYMQPNyAMejp/
http://cavalluindistella.com/wp-admin/INC/02ssocd4j70na2_vwo85-981220018653481/
http://cebiro.com/wp-snapshots/paclm/aucDwidPpIdoSULVOHNDpxhI/
http://centurystage.com/download/PLIK/hhlqSJuAbGEHrKWlHXM/
http://cgfilm.in/oldsite/6wz4jweq0kim8lp1u1rtxq08_x46qm6ak8-1916202749831/
http://chitranipictures.in/wp-content/DOC/IDnxFUZLywHSGXARYDJBUemDjgtbH/
http://cib-avaluos.mx/images/Scan/UCPljcvhhdDDmN/
http://cmtmapi.com/wp-includes/iqPXmstyTYBMrANrUNufDPtb/
http://colegioadventistadeibague.edu.co/wp-includes/lm/iindtspj7l1rjua_kth52-09810828625/
http://cosuckhoelacotatca.net/minhan/esp/TozTzAGvwJy/
http://couchplan.com/wp-admin/nspeBheHdcQO/
http://dagda.es/wp-admin/pbjEjvXCDCMbLyYV/
http://ddmadrasah.com/wp-content/parts_service/n12d50ylod2r8t6x44vqprh4_ex47v5-9015107945384/
http://deavondkoeriers.nl/wp-content/pEVkYSbYDwzbGABbDEaT/
http://demo.madadaw.com/wp-content/tmp/parts_service/wduag244xpe8ong90jzuan4khkot_0iumbotp-231441578681/
http://demositem.cf/wp-admin/FILE/aoypu5e1tuyrjlyr69t4ra_nv5csuj-9437694127174/
http://digitalmaker.tk/wp-admin/sites/9g8kmp2ao8qj0d43j70scd_2jg9b3-4313814001/
http://dp5a.surabaya.go.id/wp-content/sites/EKZfdNpWZotyFtajzRWGdNyTuawChG/
http://dsdalismerkezi.com/img/kPRNhdheCCcQaReFSWoHiYOSY/
http://eco-chem.hr/wp-admin/Pages/eSKyupWfFrbpzSD/
http://elysiumtravels.com/images/Dok/jQyHnaZhuX/
http://emmaxsimon.com/wp-content/Document/bveowJpDLmSKBIizwkDrjGI/
http://epi-basel.ch/b/Document/hfvfXJUXKywglfdWggiWtrISdIDfQ/
http://e-tvet.kz/wp-content/Pages/uvfqfafagew8yjycmd0w_kliv6kg9a-685391039503795/
http://fabaf.in/wp-content/xQzYymSsFWmifpwkWxFs/
http://fargopetro.com/jynne2w/LLC/9emy1c5slucz05ztsb_giwscuomzh-539483200738252/
http://farsinvestco.ir/wp-admin/74bqrll2fravktt7jkycl_535qav-869522814724593/74bqrll2fravktt7jkycl_535qav-869522814724593//
http://fearlessprograms.com/wp-content/AsFahoxNfqtWVWeTIGuuIPuB/
http://filosofiya.moscow/2vx0z2/vlec09ninvhx1tu7g21lv25akgx8yq_0cfkc-505184962343/
http://firemaplegames.com/screenshots/DOK/36p7ai74pwfft83s39lde90v_ysp3l3vt-52256482068972/
http://fulan.tk/wp-content/LLC/r0gy18x366omf1z9zzz38_pj5h3pxf72-6411330379420/
http://gak-tavrida.ru/wp-content/parts_service/xj9ep58gcu77dv4a_38ghv2-465992270155987/
http://gamemechanics.com/images/sites/ARJgpwEUKDppqpSvtntoWtdhkHD/
http://garageprosofflorida.com/wp-content/INC/xm4qz42spqey0xbmlse935p7n_htnif-808927181/
http://gargprinters.com/wordpress/sites/o9dj2vvbzymnqesqhfizz3h1ab_g5vk3aqrq-24829672015508/
http://getagig.com.ua/images/lm/a6sym90g42a_8d5b2aq-8151006185/
http://getcloudptt.com/templates/Pages/xxl0cq8cqezqz4621v0cce94y9ghf_ij61d86-70440851677/
http://giakhang.biz/DronePhotos/esp/oti52aat89098xmvyn4g4a2a01_1usqbam-8733587385/
http://ginfoplus.com/wp-admin/lm/VRmBlBSvlJ/
http://goldenfibra.com.br/tae0de/DOC/p2ap0ealmknrs68fu2v6_tgp2qiy-39049131/
http://go-offer.info/wp/DOC/PtnjlMhFeuxJeBQbxRE/
http://graf-zenklusen-consulting.com/images/DOC/LRUberBlPcNZpMGIxlyliwxEBburL/
http://hakan.gq/phpmyadmin/INC/09j3zev48v1si2_dvo5k-186622991462132/
http://hausgraphic.com/_FF/StIWtZpyZAcRNVctmJbPp/
http://hazama.nu/MT-5.14-ja/Dok/6fdzvo5g6gn6s4083n5vpi5qmcbf_rl02uon-0394150359386/
http://hedel.jp/monte/5xnah88x5jqvjzaw5z_uak8v-172663407/
http://henrijacobs.nl/INC/6os1h3evk_rbi1wubtp-707389997/
http://hightec.cl/wp-includes/DOC/kDpCqBrFtWIRTbSiF/
http://hotspot-systems.de/jonsfishingsystem/ufo4anic25v9hory_hvtia5t-27231959/
http://huskennemerland.nl/wp-content/Dane/GdkPYoUjjerintLfNC/
http://ibuying.pk/mvmbb6/Scan/kycJsdNnHnGwSCBEAAHeiLuMhLaSG/
http://ideenn.ml/wp-includes/Document/QwhCDlWSqrNIU/
http://ikoym.top/1/parts_service/dq444l3aqmdfnpemawd0a_qgxpaq-78515102739513/
http://ionline-productie-b.nl/css/INC/VBwPIKypwEqydjabJDQNfiCZQkzGjQ/
http://irwaffle.ir/wp-admin/LLC/ac1u2198b4nwzruvvf7vgidfg5_d6l4ab42c-06160596397268/
http://kadindergisi.net/wp-content/GHHJnlWfdJ/
http://kaum.com/wp-content/plugins/sites/l006jmwzvwk6cr2ie6_8f1de-04921188537/
http://ketabdoz.ir/freee/puHcqwrPDLCVKooqIsAWrZaLvH/
http://kikinet.jp/album/Inf/RlepFgbeAChcdMiqgkiIkHSuxktIX/
http://labmilk.co.id/cli/Dane/sjcmfzurexoinw8yktp75_d9wfqb-515794612/
http://ladesign.pl/cli/DOC/9q2zhkcyggh1shu00gx_ov7jndh6k-09455198824059/
http://lbtesting.tk/wp-admin/Scan/sp8s3jj8t3ub5v_09dte-646541542/
http://leidon.nl/wp-admin/paclm/BqHlWKmjmIXLTcyUTrbzTxhKYyBNh/
http://liliputacademy.com/js/Pages/sZVKaWgsdTqOMYLAkFZJ/
http://limpiezasdimoba.es/wp/Dok/weugvitf5i8i6h31w6mcw9_68ca8-0982487868527/
http://lmichellewebb.com/wp-includes/sites/lsiUKvhcKlmkTYybaSHJLJ/
http://lovelynails.ca/resources/sites/NqdWRIqg/
http://lucio.tk/owncloud/apps/Document/gCtYgotLLaOSdbLbBFGEQie/
http://lukmanhakimhutajulu.com/wp/parts_service/kMPfrxNgryCHxScxdLmmX/
http://lylevr.com/wp-includes/DANE/caqmunld9d0bwoe485_4wbne40n0-13420866855/
http://maat.cf/wp-content/DANE/rys4k5gnsmsqsxjm1ncolweyxmbz7_ye2caowb-5237557421/
http://madagolf.com/cgi-bin/HBRmyJrBYWdYXgTDWZJBtnILol/
http://magic-luck.com/zz9dm/Pages/aDpiYmCZFOXUUAiDlIv/
http://mahala.es/wp-admin/parts_service/bFCccFADAwzYYDtnwvMasFaWXBTDI/
http://makeinchennai.com/wp-includes/Pages/2d4dnuzbyacpsp9sdrm8jry1ybg_rt342h9kh-617434830941957/
http://melangeemall.com/images/lm/3f7jx00qxwua_qi82cgg4z4-42435752/
http://mikemcgowandrivingschool.co.uk/wp-includes/3p7kx6f6_i2sbp0dp4-73400649/
http://mindenamifeeder.hu/libraries/parts_service/HgEtaNeyHaMAYcgjXZg/
http://miplusmutiaraislam.sch.id/wp-admin/Pages/xn2yogtul7r_unm2vayqlk-14939001/
http://mroneagrofarm.com/wp-content/yQSOlwihKvauXYrdesnywE/
http://mrts.ga/gallery/img/uploads/BmSCADCNVDuCFiJ/
http://myhealthyappshop.com/au13/lm/purrrQeamZXyiCDFDm/
http://myvidzz.xyz/wp-admin/lm/0xmi5dgm2nyy2zv9npukw_024pc4szh-039929300/
http://mywebnerd.com/moodle/6mzlj4vumsbdgcjm17n8qtawde_0lovhzq-587627277/
http://namgasn.uz/includes/FILE/ynjeciuqbao1oqoo9uo7z_ivwitvqu-8170101122772/
http://navan.co.tz/cgi-bin/FILE/mRiXcidPXtaZLOfqsCdyFDRNT/
http://nazarnews.kz/wp-admin/lm/vkucvNqkiOmooLS/
http://nesrinrealestate.com/wp-content/DANE/KtdQBcEuBAybuVnLqt/
http://newmarkettowing.ca/wp-admin/gsikuf1n6mzsy_5pukqn-469095634853/
http://newparadise.com.vn/wp-admin/DOK/e52jnca99j_ufwvghp8oa-92780853/
http://nissankinhdo.com/wp-content/INC/cxINdPbSHvWJLYkkGt/
http://nissankinhdo.com/wp-content/Scan/EOqiZAqSehfbChtjoOZ/
http://nomatyeinstitute.co.za/wp/esp/jfgqbhr1towl9iedhe6n_3i2npjtm-227259736608/
http://novaan.com/wp/vNzpvVYF/
http://nppaquasell.ru/templates/FILE/UStyjgzpCUKEe/
http://orida.co.th/ywhv/lm/gy7eo66gr0f42jbdj5z0wu6_cunzn61nf3-608153857217416/
http://ozdemirpolisaj.com/wp-admin/DOC/8wzp7a7yucb7j8_5uog8v39-738053714/
http://patuaquadros.com.br/wp-includes/PLIK/WslHbtXFcCJPTPXRzDcCr/
http://penis.tips/just/parts_service/IjjaTgJJmRFScXZFNNVFeOHCX/
http://permanent-rf.000webhostapp.com/wp-admin/Dane/gyLjTtnSncdMgmLDW/
http://phukiensinhnhattuyetnhi.vn/wp-admin/Dok/dAsiYLWHSXSjuKMqwUmSZ/
http://pkols.com/ltc/lm/y0qtzd293a46_edivl-05667044/
http://plazacolibri.com.mx/sitemaps/tZIrXgpANdT/
http://potolkiakcia.by/wp-includes/Pages/chMDiBTNd/
http://priyainfosys.com/products/QpIuZyAaFgoUpASiO/
http://projetoidea.com/cgi-bin/Document/ntdqwygpvi22hqbr_hb35nj59mk-67421750/
http://publiplast.tn/wp-content/INC/QYcxBmxCgLSPLghKBguFACNdfmvt/
http://r2d2-fitness.by/wp-content/Pages/kkon3wrs5e55_5jetu6vxq-577435771743912/
http://regalosdemaria.com.br/wp-includes/paclm/4rrn5llvpq7t6f6pgvnunsre4a5_jlbaj4tc-9760184636/
http://regalosdemaria.com.br/wp-includes/paclm/BghjjRFZMncgnELOp/
http://retolert.gq/wp-includes/vflos34ornmgwmc8k5rtf6ifq_avzfsvq-64972674/
http://rogerfleck.com/hbadvogadas.com.br/Document/gxx8rxyyf7zuz_slasi-93220491303/
http://ryzoma.com/cgi-bin/Document/55o2itnmf3ej2jic5i6uwuel_0n3zs3z-07736507334/
http://sadrkala.ir/wp-snapshots/LLC/rRQnTBielLGDva/
http://samel.store/wp-includes/YqzPIJSvOosRaNyeFY/
http://sanko1.co.jp/lp/FILE/k518bwvfhrv_zicsevw-386184410493840/
http://sch.co.th/wj7srfw/esp/yyvBIVEmh/
http://scholaktis.cz/wp-admin/INF/OBGjnolY/
http://sensoryexperiments.com/wp-content/DANE/FwfQCkHKhKDKesvfHyklppxJlRZDz/
http://serialnow.ga/wp-content/Pages/kyvw2rg8l34j7cr3h5axgi1m4mn_fzjqevf-97122936/
http://shop.deepcleaningalbania.com/wp-content/gtt67lnmf2nf_yte6bgga-98525083654/
http://shoprobuy.000webhostapp.com/wp-admin/parts_service/eoBFtBVDFjICdeSlcN/
http://sjhoops.com/EPXHHogiQGyFotfWP/
http://sjhoops.com/LLC/zaHfarwetgvtouIYgJgqLdr/
http://snsyndicate.ir/cgi-bin/LLC/NaQGnVzXII/
http://sogreen.com.ua/wordpress/sites/x4s0s83o6t1cj7iutpp_432qzvi7bo-49947499407/
http://spoorthy.ml/test/sites/yKMhqFRmcsGL/
http://sportboutiqueheleen.nl/wp-admin/sites/ifeqze447_cad5c0-88908196117026/
http://sshskindnessproject.ca/wp-content/paclm/14b0txzbwhjid9aqjb0olm_p0tu6y7-248592356467/
http://stahlbau.kz/templates/lm/f17n2xp441oxn32cl_nnajqd-37483536518/
http://supervinco.com.br/jslaqvc/sites/mxzvoh89x0qckgr6o15u5u6_flunaxbr-58482644361652/
http://supetar.hr/wp-includes/esp/QYXHSwFWbFDDhNoKauRpvmtmJksmz/
http://tabea.co.id/_tabearoot/Pages/q0b9ltiv7p0hqmp_jamyvr-15838314/
http://takosumi.sakura.ne.jp/GalleryImage/Pages/gvxyFfuTznyrvJlUA/
http://taubiologic.com/wp-content/parts_service/om2cmp12f6slvrgr_a0i4f1e8uf-95220990/
http://teestube-luetzel.de/cgi-bin/paclm/nDitKtuX/
http://tetrafire.co.uk/wp-content/Document/YaMgagUqzQWDEVDtgpE/
http://thebiz.000webhostapp.com/wp-admin/LLC/IkIhMNlLflglVDFyNHbiCVSd/
http://the-massage.gr/cgi-bin/Dok/pu2zn9bgo9wk_m5pmtkpzj-00723560/
http://thewaterstation.co.uk/q95z/Pages/sZZeohQBUAmaA/
http://todomuta.com/tm/FILE/nOaAZQXqAbdXG/
http://tpc.hu/arlista/oOIySDvQJLfLQTozFfQyENEHfoXvs/
http://trangsuchanghieu.com/wp/Scan/jsePFSPOMxTUeX/
http://travlsocial.com/gyiodv/Document/JgNOOIjYDCQIxgoUAewiQdbxaTOG/
http://try-kumagaya.net/4_19/sites/wBeOmDMDBpaDEZXArZGswx/
http://turbofilmizle.cf/wp-includes/Document/4qxat60pq97loocw9o_0kp5t-807583314427/
http://ucuzgezi.info/wp-includes/sites/mkngjwv5m6l1sv17p87yx0_pknytr-75251279104426/
http://umfccicentennialexpo.com/wp-content/uploads/o5bb4tmlhcrqif9_xed9ozwg-413214995635/
http://usgoldusa.com/wp-admin/vfkyadxlebnftqaq5r53pbjg_0pii503-128245217/
http://vhadinyani.co.za/assets/FILE/cd2tgc9o5lnpawduex92nw1r_0ijph-743646261560585/
http://vibeshirt.de/wp-content/sites/4808gr7cs81o_xv8lp5-90716048173/
http://vigamagazine.com/wp-includes/vf31tim48_w3w3dhra-43233738464585/
http://votopforma.com.mk/wp-includes/INF/teNpETzCTgqmvGtBALHihbQHmEnr/
http://weareredi.ng/doc/DOC/gnkhfcwfrgw2uxshp3epae0_ao74nlt-096921694396262/
http://whitelilygreens.ga/wp-content/sites/RTmnhskXEelCtFMyXNqZmGNWZFAjzP/
http://wilkinson.digital/img/INF/YjRuZubZzNCy/
http://www.actyouth.eu/images/esp/i2b08crtzw5cemgb_c9lnt9-19555073384/
http://www.goldenradiancenow.com/wp-admin/parts_service/lFmpsVJLIan/
http://www.kaum.com/wp-content/plugins/sites/l006jmwzvwk6cr2ie6_8f1de-04921188537/
http://www.labmilk.co.id/cli/Dane/sjcmfzurexoinw8yktp75_d9wfqb-515794612/
http://www.mahala.es/wp-admin/parts_service/bFCccFADAwzYYDtnwvMasFaWXBTDI/
http://www.vigamagazine.com/wp-includes/vf31tim48_w3w3dhra-43233738464585/
http://xn----7sbgmqervmpp0d.xn--p1ai/wp-includes/FILE/yWHdPzaHll/
http://xn----8sbabmdgae0av6czacej5c.xn--90ais/lm/04af9pc4r_zr8957e70-92859625159/
http://xn--b1aafke9aadcbbkcup.xn--p1ai/wp-content/INF/NmwQuxOAFqnnxZxFpfFxiGISpSsztO/
http://xn--trpillershoppen-ylb.dk/Wordpress44/esp/mznym99n3i0i3xzpfs_4wldupbgd-572062628731/
https://akaprintdesign.de/wp-content/zojdg93o_xynmmr45kk-00422649/
https://allbusinesslisting.org/uploads/DOK/lATaKZeIkwAwpVfWgKTuQRLrIUKRRl/
https://asuvision.tv/test/FILE/d8cte9mw81zzf_9j1w7xs-6470775946/
https://bestwellplastic.com/wp-content/Dok/iav83v73v8m4ezu5eepquatv_hayo2-11638833/
https://blog.instacart-clone.com/wp-includes/SimplePie/parts_service/uatoqujs7s7ediuaxvs5cuqm_ddt16mxu-564056354031/
https://cgfilm.in/oldsite/6wz4jweq0kim8lp1u1rtxq08_x46qm6ak8-1916202749831/
https://chaoscopia.com/js/GRiXfUmZTvkPwJwkTOfo/
https://couchplan.com/wp-admin/nspeBheHdcQO/
https://digitaldog.de/galerie/4images/data/rtfak8ayc996q7cg5vh5_l0er1foo-15589708786576/
https://dp5a.surabaya.go.id/wp-content/sites/EKZfdNpWZotyFtajzRWGdNyTuawChG/
https://dsdalismerkezi.com/img/kPRNhdheCCcQaReFSWoHiYOSY/
https://fargopetro.com/jynne2w/LLC/9emy1c5slucz05ztsb_giwscuomzh-539483200738252/
https://fearlessprograms.com/wp-content/AsFahoxNfqtWVWeTIGuuIPuB/
https://gak-tavrida.ru/wp-content/parts_service/xj9ep58gcu77dv4a_38ghv2-465992270155987/
https://garageprosofflorida.com/wp-content/INC/xm4qz42spqey0xbmlse935p7n_htnif-808927181/
https://giangphan.vn/wp-includes/DOC/tvohhrTjpSH/
https://graf-zenklusen-consulting.com/images/DOC/LRUberBlPcNZpMGIxlyliwxEBburL/
https://hakan.gq/phpmyadmin/INC/09j3zev48v1si2_dvo5k-186622991462132/
https://heartburnsafe.com/Heart/INC/wpb3sxn9o1zj4gth_ueiavrvmj-94874739/
https://heritagehampers.com/wp-content/Scan/w47f1wrvkbj_nkrlejr-2795797927401/
https://innovate-wp.club/wp-content/uploads/FILE/bPYdoYkAmNrMQVSzGycLJJeNgF/
https://itcomsrv.kz/wp-content/DOC/g1gc04s1woz64tp6ugkcifwtu7pk0_l0pue-9898692635/
https://katesemernya.ru/wp-content/VZsHFaCUcNbTmOGOZDsmWzlgwdrPDR/
https://krpan.si/wp-content/uploads/2019/05/2t0dbnos2wr96o_381e4a-170273837/
https://liliputacademy.com/js/Pages/sZVKaWgsdTqOMYLAkFZJ/
https://magic-luck.com/zz9dm/Pages/aDpiYmCZFOXUUAiDlIv/
https://magisterpknuncen.id/wp-content/Pages/eonz071di2e3rfzr97t6_1j72goump-16649832843198/
https://marsella.kz/wp-admin/Pages/s58yu0v6fypgyfni20hii8hwg_jek2i-606008745493539/
https://musiccollege.kz/wp-admin/FILE/6dvs7d7n47nvo55obcs_g1v5zaoh-17220872243397/
https://notequeen.com/wp-admin/Document/2fo532d7wa2r_9lcsxxft2-8412003141683/
https://nutshell.live/wp-snapshots/Pages/jzopxeblzz61nek_dmf5x814m-670538746883/
https://onepostsocial.com/wp-admin/IZUAnTNTiZYOOMjqWFxpGmts/
https://pkols.com/ltc/lm/y0qtzd293a46_edivl-05667044/
https://potolkiakcia.by/wp-includes/Pages/chMDiBTNd/
https://quantumplus.ml/css/paclm/io1d7hdm7xpju25ocmsn3u_1i55q-17574052527/
https://rumahrumputlaut.com/wp-content/DOC/m9z2zfv8ty8piy8n3n673jni2_7qxt66f-060570155262/
https://sensoryexperiments.com/wp-content/DANE/FwfQCkHKhKDKesvfHyklppxJlRZDz/
https://serialnow.ga/wp-content/Pages/kyvw2rg8l34j7cr3h5axgi1m4mn_fzjqevf-97122936/
https://shdesigner.com/cgi-bin/esp/FSgyAKIBQNSZp/
https://sshskindnessproject.ca/wp-content/paclm/14b0txzbwhjid9aqjb0olm_p0tu6y7-248592356467/
https://supetar.hr/wp-includes/esp/QYXHSwFWbFDDhNoKauRpvmtmJksmz/
https://tamsuamy.com/images/DOC/n47uq53evl5k4aok0m3u4c_matymqo8dn-00080612/
https://tenutamose.ml/wp-includes/PLIK/oOBezaIAKkL/
https://thelearnerscube.com/permalinko/LLC/ezRIpLZSzPjbyWyvGScAAIrkVeveUz/
https://topaqiqah.com/wp-admin/lm/DoPLQqjzubGoYIdafQjheaucnxsfrJ/
https://ucuzgezi.info/wp-includes/sites/mkngjwv5m6l1sv17p87yx0_pknytr-75251279104426/
https://usgoldusa.com/wp-admin/vfkyadxlebnftqaq5r53pbjg_0pii503-128245217/
https://vibeshirt.de/wp-content/sites/4808gr7cs81o_xv8lp5-90716048173/
https://virt-it.pl/_cgi-bin/esp/hkv2dmdhkwt6j7uibjmra7q_k8xf8-002158627533800/
https://www.actyouth.eu/images/esp/i2b08crtzw5cemgb_c9lnt9-19555073384/
https://www.adepterssolutions.in/news-admin/sites/KwMonjtPbhHoTi/
https://www.berryandlamberts.co.uk/wp-content/lm/rKQbWerWVLWuUvoiKdTsyYaf/
https://www.centurystage.com/download/PLIK/hhlqSJuAbGEHrKWlHXM/
https://www.dsgn.mk/forum/DOK/IoZBxHAbPkndsNbOOnTlAxS/
https://www.teestube-luetzel.de/cgi-bin/paclm/nDitKtuX/
https://www.vigamagazine.com/wp-includes/vf31tim48_w3w3dhra-43233738464585/
https://www.wfall.org/wp-content/INC/GnfnrofqKVxCNlYQstEYvksuul/
Epoch 1 Payloads by Document SHA256 - All Times UTC
Creation Time 2019-05-16 18:54:00 (DOC Based - ENG - 365 Blue Box)
SHA256:
7560a5788b3674eb205e85f6099595b70ae1cfbcf8c58c69736c79c4447c1fe3_
ea176b00e3efa46089e333b35b80724d933d018c2bc6af0f26c67ce25a5fea0f_
f1b64b23d33eaea4f80cb513480702851efabf374554d8c25c3f8d4d4d86e34d_
410f7724c912693a1e10d6fbd104c6dd9b0306d6683e451aa9f5efed5e824a7e_
1f3046e7924b3567ad00bf0a04984a88cf4c1a5bd7d073a5552b831e67aa6021_
7b9861c70f0ce91539af27a4a8ad87c7ff853ae8b2734fec286e73bebd44e128_
9640d859d9e4d9ca6e48db772d2df1de95e3e695d0f7aa86425e3c3cb7e8fcd1_
4226785c671b436dd779972db77b768bd3fb511becb7eb3b99c5bd355182d720_
e9153c882d09dfa16e4423fc7866f44ecf9d50f9859774e8828c9f3b2fc21e98_
http://blog.apoictech.com/wordpress/wp-content/9on272/
http://blacksilk.xyz/wp-admin/4b11ihx1465/
http://cbdpowerbiz.com/www.thejourneynew.com/b4bqg3/
http://vmsecuritysolutions.com/cgi-bin/qh6/
https://itreni.net/acc/7fk45918/
Creation Time (Attachment Only - DOC Based - ENG - 365 Blue Box)
SHA256:
88cb52635718fb412b5c7fb1700552d2578d3c344714a732551c97d2d9c42c13
e7e672ff9241f44390efac0235106b8c984b6065ff720d12eb7a66f31b41aa34
90ecd482e0ad51e6dcc2057c2fc0630f947d6028462851157d9d69a8a3bbc3e9
57f97f4660ad33270ac7a8fd233b7dc60ab09f439a9f0d2b30d98fed1e5307a8
8c2b6bae0c74078f8eda3f1abb9dcb300ecec3a4ba8b89ae5f5ba71a994d9cd3
http://adex2019.com/wp-admin/u39/
http://hubcub.com/test/pe56/
http://led-lcd-repair.com/Scripts/oryzre18/
http://kafuo.net/1989/byws3s862/
http://saigon3t.com/tni/5drt01/
Creation Time 2019-05-16 06:40:00 (Attachment Only - DOC Based - ENG - 365 Blue Box)
SHA256:
638bf03bdd7ef779d559c208eeabc10a37adeeb34984de29445b5bff5a76246f
11673df3d07989b37e6b0f6011822697a3387152ed1b8b5cd2336a46c26b9a08
bd803ae96b5f939fb44e4c6a8304fb728d6aecbd7e7f084548a6fa6b8e588ce3
ab0dd1a71b05f7ebf395e3e302ee52d0a28200f386e8fcd94bae9434a89cbd83
f6128bf8cab0c5d0d298d7ac385fa223be63daceaf0b34f279ce79d1385f36e0
953875931a4b0d7e116a2510293ab702feb341d35176e4aa5d8e6b04efb6fd08
e43ff81fea8483b0260e0f7328fab7823f38f0ca81e67f282611d5f47f0ad357
8d9c6cda7de388253c99c7009b0048209e7ed77c562225deeb3d902f0e83d8d8
0c6e031069259f2d9af2681c194c3fef7019b3d33c1753c1e15da22cac5fe23d
638bf03bdd7ef779d559c208eeabc10a37adeeb34984de29445b5bff5a76246f
dfb7d1273be24d7546acf5edab9525ba122b8bc6a6f3cbe4a74a448140adedf3
aefb5dea65bfcc5d6691ecb2c8f263fa274b7fea8944c660ba0f7fa8b59a7642
5f1933288df4fa27aea1d82611702119cbb34e99c00667f08cc45d50ebcecc40
4c1ce31a23a01f4352145fba0cc74d87a55227e1e768c60ead5d5213ae577274
e9df6f2d7490ea6b65158786ed9e06d44c4f173a23e1f232f352d8ece0f6fc22
ab0dd1a71b05f7ebf395e3e302ee52d0a28200f386e8fcd94bae9434a89cbd83
https://annilopponen.com/wp-content/wo4u3134/
http://wordpress-269961-838458.cloudwaysapps.com/wp-includes/ncaa61/
http://jubilengua.com/wp/pcpef331/
http://businessfixnow.com/wp/3og7m3361/
http://domoticavic.com/itau/u5a41/
Creation Time 2019-05-15 19:56:00 (Attachment Only - DOC Based - ENG - 365 Blue Box)
SHA256:
2111f3703bb08e49ac15cac50018d916092243375ff295f2a465b095bc8ad388
http://pawarsoftwares.com/shree/o7u4s7u3775/
http://tarakangroupsro.com/wp-includes/s350496/
http://stampa3dplus.com/wp/mf9pbly5824/
https://mondainamsterdam.com/xkcm/9o1i83/
http://jiyasweetsandrestaurant.com/wp-content/jsa08124/
SHA256s for Epoch 1 Payload EXEs seen on 05/16/19
ae1424164da379efd98a58a771d6a73d8f7953e245b4deb278bd5ef6575f137d
d47eead68a15a0791b9b82e7c3d2d0c27a4c13796b269ec4e258e5059371cab1
8f418e4bc9a9d68417f05eb5bbd5dc9773b6966bab243c8c62a21f2280fe506b
d3c378dd638568ab99c08dea2ee5dd737f8c8bf8f68440323b3e4e127065acf1
c60a32ca583bcbb717b220658b1d81b87cc3f32213a6b120d78418da58126933
e7bb123d6b186c67d4fc858566a7c77abd765717b08e114245fcf922516effad
9e94028c0b233fd2063a31dbdca093ac7299d8333322f6ce1161f74cf612fb96
b2378661ac6bf4d3403d42834ac1cf181f8aebc78c47015fb9758e6a62cd526e
7c82c52366ae51d1db52317c0ede5bccc04b751db1773c8df2227149c9c81585
ad8ed5375c7709920c64c1b9863566285ba875d508d32721a9d2969a32b52e9a
3c1167134caa4e1b66560fe4db3d38888b460e01d02e0e3345e2d6e768ad01c1
f12c3c56f6732fd3199d0c3f7a2a5b275879d241322ea5ab9b88863bda0c4110
48ad69c8819998502251e012b2f02d87c867019e28391b26a0795515b72a4fd8
b4b79430ce72d6452409b6208a52387936cd3c77c086901930528a4d295f812f
a2ddd3645fb9431eac04948df2da741ad7b3eb26a02cda6748f20a1c8d4aa7c7
68d08b7e6df40f01473a5771646983953683a262f1b9a8ff3ec3cdd66093ff13
fa5cd6ed5f88e85aaa5a4d9133cd503735b99ab17351c64af04ae6b5de3260b8
3a0aa3bfd5a1989eedcf76c79d71ab0848d584648d06d8259188c24aa8f4b395
eea0fbea3e6961f01a1016a8290a560d6d6915b1384fb9a6473923708cad444f
e15b7148e9e711b53d16fcb89e6d13b35c2a096f75d22cc13a320d07927f49b6
6ae2c01bc31aaac99a2b2814f41589da3401999957cf0863fcea030aac429741
6c680ed5e10170c88631c7f41981c5abc6a5f8b3aeb1b8af0ab07f2f8f8ce500
341464c9b4f231a79e6e4be4d2ab447654d8de50cb51d91de54fe3fb6a1b43d2
5b232501bbc006daa17a993f25d50c893e0d8ca7259249f2330a30a71e20796e
755cfa97ae502c7f0ab51b26e1950255d137bdb295af7d6794428935e9859e4d
e2aed6f9bf52c3d2499bbf288da8b9fa47d20d52d5bb54b924dca6c0c882ee99
33f7983abc488062940793a95b91ebd1e57d98e6f36fa2ffb69594a8a0498075
9aefeb2acd151273b253e6c8f2fe790177d68e0ff1afd634f833758bae0bac5b
ffbae5d2549917d4e36aa5d8ffe8ce73fc07d19e1c38f85f8b5ed1092bdbad21
80f30ecc9614e39555af79245f26ec92cd55f726616a35d1e21dd2e003096d24
84546792b93cbdf76b84a9ad2f413ccfa1d138c7d35f710b4371ab8b64dadb1b
cbf2af6b2238ddcaa5083f9c32b4c24c71d9f4b269b42eeda8bae1badfbb64cf
666a4359b1abed1126c9d684d7e9f7dafae1cff419d0df98209019e038c85c0c
7a33a2eefa19422ef21ee10334e4f33122cb808d8beb77fe975a0625c01420d8
0bc3f28934fd728287c513e3339d902429ce82b72fb1d28712e95d4c32945840
01c44ee67a964d9a171b3ee445bd3e3f6d557ba24cee6aa693ab685a15d82f55
7a4b9893389716f101563dd22175d7837ad3f7053fde839de92019fd6243598a
9582294b34c5a687fba856b27e1f5bc61f1c9044af86f8c3508769674c7f71de
e9024072113315c1bbe2cba8f22e13a98101b47e4f38fed16f3f271d4bcc72f3
38840ce6068db079da3d6a2ef2dcdfd78563d8d2feaa83e44aa37567114fc2fd
55a055d5e71c5ddb44447f099bdaa8b3038f6b381cb9f26f672a9e718ed7f1ca
576e27bc56d71276bfa9f52d242c3204e29d0d498fc9a2461a6dd34a471c6f20
10b7c5834508853b315b9c6b3f373a1d999638592753801799186955dd49977e
ab33b315eddc2ad818b45e207b26ce3b9aace213ab5a66b581a24a34ce03e3b5
11f8ce237a77c8b74cc10a7c9aa6681f8dc3cbcdab236acbcf35571488512508
e39f6fc5d64d163b3180e3f4852ef1544cff540b0f4c2d40771b6ce5172c8740
775d944a64e76d1b1e59f2a7b13f6d0bb5b6d39d448234ec9a44ae365e8030d9
f5bb94b64a759d92de67aa2fb2aed5698d6f50c9aa0890a3922d8351bf342ff7
de54f9f6b4da2411980068400f7e9ce93b3f587d2a9b83d42e3f5a24135cb36f
b1851aca9cb2e43b9d4d28b441a11e975ae614d08c52a01f6e90cec72cb19901
188a1c410aa381e2b948c598b7d933d4953f350a86f0644fcf44da25a1b7b5ba
49636730a580138553096e1a1843cd2a8e3b8085876146eb495487971c7f2251
f2e0f83cd16d9ba6c59f0d8eb6d6f04f00de41c14b161fb1f63e61b9942e1548
64c2327fb3dafb942c37240874cb201c5614e9b68d19503963cc4c664d8f18c0
17120e2006e4ac0f68eafedb960617b2d0ce56b163d4715d4c194c0b9e6584d3
Epoch 2 Payloads by Document SHA256 - All Times UTC
Creation Time 2019:05:16 18:51:00 (DOC Based - ENG - 365 Blue Box)
SHA256:
58a5b34d64d99a446fac330835fe76f1557470bf9b4cfe225bcca956002f848a
38a92dd83540f0cc716eda7b401b362e71ac5cd03671deb66c05c6dcd724c3f8
dde98981f8fe2b3894fa6d8ed0270f353b30189c81bb8848f6fef45170a7389a
602fe80fa41ab99643ade1b79e0c823288efc58e990d040100a5b1ee88b9fc2e
44049b40063adfade1f8ce02b204657180fb1af1c0cf82f27bc871df0fd64f45
46bce95fd19be2f4305a11aef6a5205c41b5a1803c4d3836b334951cc92208af
4a27fbd6a3c924277255a36950ccc161a9773a05552455b00d88e584f5957ce3
bb1d0382f8f95a34c3c3333e08da751c8561833323079223cdb0804036a6e7d3
f9bf8db6e18539de0f48f521fa2e4790077956a62cb4ec640795a5548b3d0792
62391cdf64b3a7bdf562dc661affdc1994c7d698d4fb805dcf81bb361a11c540
53725e0285996b913feb3066802cf1f68863ce7bfba26cc95a69324d0a2bb349
55d7912feb1a0c02b483b1eb415ecc99da7be934f4fef88fb0f9bc66ee4aaef4
b6561ecfa01f65135fc314579131d0bf987443b2a2b5ccfa44bca80ab0e21b59
157f8a6d3cc31abd509e6bae63c817396838f5bf13be33f91d84f96142cf3563
897200001d0d2ec075c0b5f20287dd2537b602f646ddbf413b670b52ad5e87f9
acabcec8c15123fcd0edc117b227febf0d79537c4c8252b2839be6686f8cf801
07984821b787fd2405eebb0ec263abafae4c6b3272c5e78457fe98c2700295ba
6098cb5ca43dd95bf837b29634cc6f9b9cc1ad869f158337edbbde9a3cca0c10
20be34954093ad97844939466d31e8a2149df3b9a2114cc0c8b686149b3a7df3
48bf24af5917975f48436a23e485c9b41133b0b59696627d53ab56cd24afbd0a
e30a0cf17ce45f8be3e98089d6c7bf5cbf3fd16d5525f594122d71788798b921
ee882f4837aca84f10f32e1aa59c4c23731334e6de46c82e17c3d490292b65da
bc9bcbde154284cb3a3c5b98ee09d9f2e3718ed4d0c708dd8884ad161396c68e
4e5220b3370957ec676dae90b6311b6f34ecaf519093680d7810a25aab6b9ed7
c431d09bfeb4830ea301f9c40e3e365381788c66e4aacbac9345c4e65153e493
f6b6fff24c93ee8cbadbbac2b53e89087358e737120d2687c236d0eab75e53d0
ee3b9963531ea7401ed8048880ad6fedf1cbb28913bda7473aabec509ccf08cb
57c9a22a439925f0544a578275469f597e5c85871172229fba2a175360fd3370
bfdb47ad617e3fd6d46b96fdd2a99b75f79500a93e9fdba3a67f8d40b2e41475
723b493cfdd4bb6e69fd63b9f37361eccdbf354baa727118cbaaed995cf6be96
http://legioncrest.com/wp/pyepn1uq0u_1cn0tfaqg8-54319762/
http://rogene.tk/wp-content/lDVAyrLa/
http://electros.co.ua/wp/ln720_ugcn2s1wm-93/
http://modeloi7nove.cf/presta/oaFqMJPhd/
http://deviwijiyanti.web.id/cgi-bin/rbfyme7h_yctqp-7/
Creation Time 2019:05:16 13:32:00 (DOC Based - ENG - 365 Blue Box)
SHA256:
5947468398cb7a1618b3a3df274f8547be1ad5638f3135aa3c41500b942d5036
3d2a4eb39a96b817242b0b5f0783f1117db5053dc3d8446986387d52c8337276
b314c1b740d311a3cbd6074f4346e41fdbae6415e1c3aaa20911501b2a53e17c
3d1a6e657cea9d5fa49d3764110a9df2c61bc49143de499aff349a43c7e16fde
b3963c4ea3e3564940ed23e0234c98519ba7414b7a3683eff3f635a2f798f75d
5ccb438708f222f19c4fe396b87c6b246d9bc42b561443b7f4cd0c92dbc2547f
f6b183dd80fa9a21cba09563f717013511c9caee282f8069c7fbc813a104455b
08ae279eeb4a981a91291cd8cc2f160370ef35ffa76081dc0e2c5c9b114c8583
dfd475ebdc6ba1db16ea52699f6a9484fd25a7c748078892173d344a3711fe3a
018c9a996c34a9232a54d5a290d651b4aae36773f3455dbcebd3f2eaca0982bc
821f35a7ddbc8fef42ab60a8db0351143a0ab0468b0c573f976caebc7ac4ebbb
d7da099f0df92db8d87e9d8543b4328e51a3430b2171e737c300cfb951100240
4c3360c9380f490e271664c6508acacf697558b870d2de03bbbc95a3ce3367d2
0c4dda25ed91b069d0a3911bba601359909bf2b58a8f1a303d66b278100f0d70
38c503a23454d7dfb12c928a421e4524c351f37d5170571783020ba3b59d3a44
f3f1433f505938bbe35c498b9544f3e2190abbc599d61a696b1a53eb7ab09917
61cd585f5854f42027b4db59c5cf141677dff50ebf4b7613b9db2035f7417669
979b7e2be3e7e63e37f3cb1dfdb7cb77d353e51bd8cfc5b4db483e78ebb34bb5
220f737885d1b0cac691c3e1407edd781a06613fa6efb297b9e928f3a4ed887e
fb64d8139c7a45fa7b4cef424e3b8720b7590dc6b82f66b5f6f50fb092ef0cfc
de128a4b40316589b2c17a3ca50dfe2156b10656444f5f7d7faf2a12cc2f534d
d717ebd52ab9559717ab0fad82bd3e3f267d69abcfc683b370739d5ce737ebe3
99d0bd6eaf0c09c27d3555c1aae90e2bf540d011b7673dffe48f92bb47c96471
76e5f272766413e77c975ef6c14626c32ee0bdaa3577936de4c6aeeb48c9ae5a
3e76ebd7bf011384714cc0556ff6e42feea705b56dd5b146c7309421e4514ab8
510dd7135340de9feee76b6fa932415e82bc3360ada22c95bf5f8b4685f4b78a
032d1158a6e3e922dbaa50fda5d36dd9ce8dc013415c6a54174dad2a4b88c0ea
3a2d142b1d9285ba0d16a1a6b56336987af586c96145cd64bafa0ac7b9f2b29d
1240b4ad51f94ff1255fe859d1484a79e9204ceb34416dc5ee488dc145bb916f
c2d9642722e6abaeba3d268aa528e7296ee556a116b37e271ab611cbdb95458c
73bf95ccca97ab08b3614b8f594bd36a4cbf74d5ccdf3b798f11292d01370523
ed7c8d9543cf869368c78207779de5492ca0ed17293068f9f2b66dc0ce9cb25c
http://itekscompany.com/wp/ZbQCNsmf/
http://punjabupnews.com/menusl/dSYLpbrOM/
http://mikyaskitap.com/cgi-bin/IRbQVEHD/
http://odasaja.my/wp-content/02tyujx_uodc9-64381991/
http://dev.psuade.co.uk/wp/WxapFyRqu/
Creation Time 2019:05:16 07:54:00 (DOC Based - ENG - 365 Blue Box)
SHA256:
08f738f9d0175a8ca6ec8393af20250ab94c0f2cc42803dc59aa765c4cc071e3
3f63b8246b7e3326254f66cb9500d6cfd8bbd2601aa2283ab40c8916fd576ea3
80c71ebbbae36d2d3b1c9000324090ca08e69d0c844e8dafa8d3d6addfd2bfe5
7aaddf0ff5496adc8d92550eb0cee3f4b1b5be796a6097eba9ff3257499abaf7
8eac3441c356437e6eb6e05a51e1fde4550e7fe401358ed760bf0d09c4e219f8
7f845706d32de86c9ef88329e99aedf99430f09e0d6a93c80003484da3c94db8
ebfca5a3f2b8d40de048b25cfed54afde0bc5f11a04f396225a6a1e16180b123
0ec79df311bcb3974cdd61a041be2ea1447cfad8a5675146e27facb3611b5ed5
a056d58e050a92c6242fca8a351011b9d2091477dc5b260a4cfebfc2dfcceb31
9759a584eca5c0e51512ec62ceec444df9cab961d4b0e4e147a534e2ebda1d94
f74a30ab3a011ca4d01d854de885906d64bdac67dac0cbe134ff752b5e5da02d
dddb41b5b2d287d5c047d8decc2794172ff5181099e0105ce56dbfe6665e461f
cde6f64558a41b1dd55deecf7e4c5970dcb5d3e13166e4011964d6cb8c2a8343
a680ec73216b1ea96cc39352e38fb7a6c5b09da0f7ec3740e135910d5a994a1b
6832239611377520b2c65bd7ea8817a527a65ee5c9cf74e6ecb69e43f6616f72
521e3fbfe35cc36d1ecdd271baf87742e21a3cef52addfdc7e30abf42880896b
835c698f4fbdd894f143f26681a53cef072e56383079ce328263b0b66fa02f2f
ccac2a18504c1b532f363a6a20cb1e9aee1b0049eb1e42d5b200cecec445ad3b
1facd8f109e53b8335391ea1f88f897d1d5b39ca2fcc5b46d4afc69b26772c86
aad1146413f902dcf6920d0133f5035826de2142da687d8bc3fa2521bbe26d1b
91f513c1dfc882539e443e4e740a4aab682fd3ec0d9f862ae09d6abd1ef3d077
a2803ba4aa7ed10f355395de986950b760f11e549f2af0910eee838a6c9b7388
111184dc40bc924639d6cc305602faba8f2f508fc75d2206aec4fb9340d6ca14
2c0a6da2bae32f484ec4e08957a756313f3a750ab8b3bbe4618ffeee2cc4e222
1f1d3aa9f829ec43dbd4a301b09e705cd5bdc5bda61e0d3d75bd4fd0a7247e45
5e5df7379416e9bf302ae6fc6aaf2a0b552e491a03732b875dde057fc315c139
e904f7456c0f0e17b2935552266331f550c82f7a1d1e5dd50f7abdb2b818e698
2899b6841f0906141c249b1557b39b7989ee98c7172bdbf5e366c8f2e8a8fb89
8cf3132593aa477c1970d3e130e8f30371dd413a4b1539e7335c3534963cbf93
http://securityone-eg.com/wp-content/c6zvhffmx_6skfqch2lf-4721/
http://randewoo.ir/profiles/50sq_qqdxeeln-04257/
https://www.aseanlegaltech.com/wp-includes/lFhhBfMMLK/
https://cybermagicindia.com/images/ur82i_90jm6p-55532/
http://3rdperson.ml/wp-includes/eEEGYADPv/
Creation Time 2019-05-15 19:18:00 (DOC Based - ENG - 365 Blue Box)
SHA256:
e47f8c73b71b01c3afa583d966d945f3b464a362aeb50175f69b01d2210083ee
8aaee6a91f4f21eccd5a99d108d215435aa0f5ca22009262faec5e80470b2f11
78e448a30db3d7d86c655281ccecf72f12107d1cbd3c4c989103cf3401d65e9c
876ef1c3b8aa4aa4e88e33f1b71e2507969d126edc5a111553480ebb3fe12459
06e4174bff2f35981dfd45e4376499761584cf0e87bc310e510c21a42e6cfa31
af66adebdd31c377914f664852e85e1ad5d9cb2325aa11a1d24aca65f7e1550c
f74f7b47050140c8888089819c9bef2e3ebbebab3c40b860391de18d9a03794d
f18a0f8516c937674a301ccfb5111a009e5621a31e4036af25ae97470626b3e0
9b7e99499d0dcd4959e69800de74b8356b9ce5da4fc2e5897c3edfcead8bd8d3
3ba1cad4f797c189510cbffa728b2b1b85ad1400d5ecbee223e262f03acf0443
47413a4ab923acaf1bb2ac8eccfd9a1a66d282fa0b3731ddf2d062bcc2b58f70
400a5d6d21230c8fe91fed9cb2fa2ddae199cfa892462281452b106bd219a782
e5f59e6602e056ebc5e814e59464aa3d891fd1f0afc5e9d80be7fbb5637eb090
d3d69226a3f6759d15a4b94a3ad99da3e20a28113194cff91dfe345c1696a7a9
ba86bb5815a08535c4003977676bf6bd54908b0d89cfa49df3da74aadd0ac6af
987862bf5ba96f0c7e2bdcda3244b6babadc1ba6d7a3c988de889500ec06a201
75f8716c14b028fee42ba751d4aae0ececdead291572bc36b8f9afeb1e71fb0b
f825fb79d94da79bd9726eae75a01edf832f0135661517c7fcbaa5fe410af72b
11051f782981a2d9804cb8a373dd9e30a9b7d8f328167de13873498ed7f98674
dc6a4d64f801a9d61cca7c938966ebcfd8d527cbf7f8cdf4410ab757e57aafe1
321a3f3b901c2f33206a7306778da305454dd0a4c35cad55f2082996958ff6ff
6b455aa9464a18e44571793fb467505e6a50d5881bff86e79043fed5e9216d6c
7e88b184d97bee19296f2430cb932847db7c77f51d27561bbe88230a2417fff1
7ad693a3fd9da1b97c0e7f85fb37bf15f511168d2aa397ffcd4d0f3aeacc84db
1f33d167cd705d1e19f8b7fb8ed5ed1c08b89bff6738b0e0264174396aa6fc15
a66958846580b762798e70cdcbbff2e91e18130587d0e3b0d34c811259da957b
706373653bea1bfd1d577a640e2942a16d064636f6a9aec85b58da3b0cb7ce2b
b2d91536744218551e478fdb93d8a95a00a7afddda74d896122b57ce4559dd79
1e9e79487ef3adba5aad25a1784a828f73112435d43581734998339f184ccfe8
37a8f9312cbc6314a69d480c19287b0c41de1f346a301d0d9e07d95da178b94d
8694de480619ef8cb16e017eeffd8039c54cd006039877cc654992e24a3fb419
90e76b41f27f6383e655d120cdeee12fcb1062399fdad11dae1813c56f10ef25
09e81da7bfaa218857aa72793b86b2f3d3d4fd102e4282702bd524c45428833c
c34ced87d8ef3d765f6776d964752c542f35fe2af8ed277dbd01b5859b776cc7
b8304bea7cd5270509a5196224eceffcdd199ef4e303c65d5af104cea4239a35
144b230733e25b20edabe39bad87913afed9279d4bde2f9b557d8a06c0cf53d7
ec44be0b3814bf8c733fc21a96d495683d66e1d53b4e9cb34316c08877bf90c8
6665273fb05925bc755b1ee27eb962d49991f2d7926821ac019bb89a3384f745
f3ca34c834bd72132b1bbf778221ca2fc9afe5376e8ae63e554da272aeacee74
c3bd3e3df0bb391b3a5808ca3c517abc5d4731441df38b7e30b69ce7bb3dff6f
acec5b482ad5a4de84e5e7f3146c7e04131d0a04b6874d552f33a97812fc9e38
3257cfc9caf85ca8dafb76c69f6c2744b33cd46b7d9b119fdddd78694848d358
942c724bdf60dba3fad9f8695be9b19d96df15a8314d35fd82055b62610f62cd
5b4be5216d7eb192ca92a660ecb8fb86adae5da2727485141e9e9f02d6a24544
3299e6f7204ea1a44782d496c99329b76218b70233892426c02f872221548784
1d174cf281f20a5f318e24b5df536ff2d04d6ea854a81d8d45a519cf3ca60ac2
9762ba52106a0148507908106036e0685026493dc390413549e1d4621b193c04
4821d11f5f6c1d360fb783467ccf365e9e9d412b9d63e262004e592bf8083d03
4d9b585b5bb977301647ee51bffa8dc42b2f2ef1568a1693cada306de09d134d
724c3189c486f06b9090c094256d1ff91fd4e235ccc39a0bd96dfd1b9e2e91e7
http://tomasoleksak.com/wp-includes/zm2ga7ha2l_5q8wl-2798/
http://mmassyifa.com/wp-content/d3ntkm81gs_5129qfvt2i-244324062/
https://aaliotti.esp-monsite.org/wp-content/6orh12qu_7dsv031ip-0075691/
http://adsprout.co/wp/oMrTbPUxE/
http://springhelp.co.za/wp/jMSZNshHRf/
SHA256s for Epoch 2 Payload EXEs seen on 05/16/19
5502789c6c29ebbc46628869afbd7403bf0d19444209d88e3aa743e2ee620981
41c552f75c1c081bbd6e1373960551b09acc3ab4e4f564a14cf19d2e94deaafe
eeaa43d154db6f483d7c70dfd79897cd5fd7555439219c8bae46cc2de700f074
ce2617f0cfff7d66c227cafef0f5b0b69bd8816fe392b1d7d5cef6e80123bc65
d3087e7e30f9bc1650c54c5b7398a195d27d77168023db8002c90b4ed9a5fb90
a75409c3e5590c092af6770e88b632fcc85e93ae3b2985d3520e981e4926a4ac
1001cfaa1f9df7bee979a80241bdc0dc69fb03870d18a095f7125d6670db9597
40cc9179fcafee740c01c18ac18fe12f5540699b17a65baf8e614661739aa004
4925e099c9cc7c804d88ea55c61c60054542a50b10ec7b545104971344793274
ecf2761f512e8508644abaa8b4b6eabcd526fa1199a840bf6a1376a58875ffa6
5be286b25a6db0ef6799547bde0e7fcf41587f04164abd5290751aa62d13696c
feee487ffb84ccfaf11643d2a8a84c146c6caa2cacefa41dfa77578ccdcd0580
74cb3663a5403993d5df536da6cfaefc73249fa19d0a11a49e4ff00a31595359
26fe1af30cc991c29c519bc2941c545026c077edf4b41c3eadb93f9d577f2bc1
408a6ca7d52f20cad7c9e71a06f41d38e9fa1dbfa9595b29987739cabc152e7b
6b41d80cc553fe9cf5bd205420da184c8f2e852192448302e9c053039190e806
e714d77f133da5e759a61ea1e696b0b0778b2d933596697fe4b756628732d1e3
fc64a7f68969210d1cc6a382ac9ccb9ee44ff1e661ae7e95fc21c87aa09bfddf
5e636eaad07c41e658980450b73c0a05103fd05f06d2523a2891b242861f6771
fd150c99a4ede861e01f0afcb0d6d058d28cca3eb2c6efd4389477adb2e94c2e
b07751e2d8f02638024ec922a8db2a9071c8787eaa353425dc795c0d45114bda
69415dca4fbaa6260cf2ef4813c96fc4dc7507b1d5d35d198c6ff5d3d34ef8e2
4415c821d0d79d7aa1da02200223a2ea40ce5b7f2c074d68dd14c423c7912124
7b218b86c4386b46122ab1692c9cacf18e67f78a88799b6f660ad4f1f98dbc4e
86115ddfcdb2bd7813c6709794a810d5e3d9f1c112f4b9759d14f4489422a121
8800bff90a5fe41b917e41b6b2a22bb3caef8cbd801ec212dc89ee53579d3799
baea1d3a3ac681b1ee4df16c86614f9ec005a6c88d29a2c91373c430c8e6285a
27aed9cd088b7ff8c2eed3e34427028ee4adaba5b410b3b79bc1c904d2556337
fad7b12ddbd41d1812846329bc29d1c471a33611e4eab0f8795e28eff891960f
6f46b194cf2e55c06686748b3377df2b436598f6019d0f3f8918c27ff5923743
d77e7baa6f905975987b93272f1e7e7499d263789d016f529537313ab78bdc28
07f9a1604de5b333062f1da5684f50de4966c9847ef9e2c533c8df971358478a
d51177ce71693687ae8dd9aa92801955a0a65df8a6cbb828b525e025bf669db6
06fb7808a4114bf5ae93a598ab892059775f401d9c56e8bd3dcd40155ef1c0c2
4e3ed90b70c43fe0075609314118d9bbf155ed834264a7be0c10a91ac4576ada
f22642474c88147ebbe83753e01b21ba15a7170f784823392ce2337021385e81
a4324a5694e039ade44547da239b469b5588162f5fbfe8663981b9e0a626b4cd
861c52f8e0d84217ca92aab1dcd4e42599eaefd7e759a64976b05777a1757322
289adea08fcc54df30c2f4226e937148f0c94a81c6478d8a645f633ac6a0b0c8
f5b155226ea73bd7b3c1b00479763e96858949e1304f5504786f692b531c322f
596d96acc54e7c52acbd8a9d59111de00b53348bb7b25c5cb33a6458cbed5c4b
9874093c6504962844b1b6a888e67dcd60c1dfa30276608b4c8d2fe83d150fcc
c38fbe7ee85e7a39587205c15ca49edfc9b541c007caf082733a72ad882aa35d
4a32f108c26a3780cfb169860f7e77af7ac0cdcd90a51a8054438999ff9cc35c
700ab98ee3dba55adaef26229d2a0d83eb32e11b437f0ecf30299a591f1c98a9
4e0cbe8131816cc51ae1d75c543d7068426b47d0e18593324f46f389c3ab88c0
9fbddf9be5bb2d73ca4101948b901e07ffb8b3b4d40122c402793c5772169801
2bc618ed051add34f04239c807a208fb4dd58408a47024370c105f3148aea822
b0b1d7c641c06e8eaa10b2c29e5b002904e18819f3fceba937bea36ad644bbfe
6cf42adf3621abea5b0a72d33418bcb5d2b794b3d487b701db0d217f63e34b28
4ae90cf8e1c87d6165f7a45e0a7155f6ecba8142ed867def1b5dda185a5e6264
bdf21a35e671e0a3801bc3d73374249322aca669c6c0e485b20699bede73e5de
a9a7eee56903846eece536159f86865fc1ff8007c7965a0f0457f4e0314a6e0e
33700734c04513e137018848ede2277b6fd5da77fe6bcb3bb7c2807c4e6d2a60
ea69c4a918321768ab0f6a886b4a668a6259e5827029a7d38614484cf6c43b93
29477d71a3047c49ad1e6fe151c917c7048f56d84aae2863e2ca29c48dcba5f3
7198d36a4c08fed0877df7f8ba65c60f775247f35bdc58fc1da51a3913115005
ff460a4674fb552d803be9d5edbfa93796417fa2943b29cb7c8c1f4876ee208f
79f742ec11932710511e31609975a87d298763fcdeb8539eca49401d9d3aa426
d113b87148ff747a1d9156377d577c29f801019539cbcccad51ee6c4d805e85b
af6d52d0804734138bd4a719b8d1865273cb9a6357e67f6015c3002fc1b26028
bec928a7382822e51947a74fd2834fd553b2b10fbf6f7eff292bea305a64a7f9
2179c3d3fed60e56b94369c56772609ad73d0f044770f1eca3e8f51bd7ed20e7
105ad5e8672a34acd1fc97bada4c81ec51aa582205c1873456c26f84f03319ba
75f7b655aa2948bc067eb1a642f06fd5d6c1315315f34e704c950ad22695316f
78e172fa1e5ddd4b3be046d73ba1ea25d624e78e51984b99e39b8c1f2b1329fa
78e172fa1e5ddd4b3be046d73ba1ea25d624e78e51984b99e39b8c1f2b1329fa
fb2f5fc662265a2cea088c5d341341015e7520661cf9a5f75b854abf0646f72f
4fd7e69b107fe0c6493339f845a3c6482f6ab370f35952a13bff026b6c9a7cf2
7d4dc03394db567dbb6a1294740c46af5684c8190ae27ae1a25d517d912cea69
Epoch 1 C2s
103.201.150.209:80
103.213.212.42:443
105.224.171.102:80
109.104.79.48:8080
109.73.52.242:8080
111.67.12.221:8080
134.101.222.153:80
159.69.2.128:7080
163.18.23.242:80
175.107.200.27:443
181.110.239.26:80
181.143.101.18:8080
181.15.177.100:443
181.15.243.22:80
181.16.127.226:443
181.164.227.212:80
181.198.67.178:20
181.199.151.19:80
181.29.101.13:80
181.30.126.66:80
181.39.134.122:80
185.129.93.140:80
185.86.148.222:8080
185.94.252.27:443
186.139.160.193:8080
187.178.9.19:20
187.188.166.192:80
187.190.237.104:8080
187.230.83.149:443
187.242.204.142:80
189.196.140.187:80
190.113.233.4:7080
190.117.206.153:443
190.123.35.82:50000
190.180.52.146:20
190.85.206.228:80
191.97.116.232:443
192.155.90.90:7080
196.6.112.70:443
200.107.105.16:465
200.127.0.8:80
200.28.131.215:443
200.32.61.210:8080
200.57.102.71:8443
200.58.171.51:80
201.251.229.37:80
203.25.159.3:8080
205.186.154.130:80
216.154.222.52:7080
216.98.148.136:4143
217.113.27.158:443
217.199.175.216:8080
217.92.171.167:53
218.161.88.253:8080
219.74.237.49:443
219.94.254.93:8080
23.254.203.51:8080
31.179.135.186:80
37.59.1.74:8080
43.229.62.186:8080
45.73.124.235:8080
46.249.204.99:8080
51.255.50.164:8080
62.75.143.100:7080
66.209.69.165:443
69.163.33.82:8080
72.47.248.48:8080
79.143.182.254:8080
81.183.213.36:80
81.213.182.115:8443
81.3.6.78:7080
82.226.163.9:80
85.132.96.242:80
89.134.144.41:8080
91.205.215.57:7080
91.83.93.124:7080
Epoch 1 - Spam/Stealer C2s
<not updated>
61.92.159.208:8080
104.236.185.25:8080
50.116.63.9:7080
Current Epoch 1 RSA Public Key
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAL9KRKWqcld40xbUZ6hRh+fPNkgJe7K+ 0y1rR0UFqc2SBmnyoR/2Ctd+8MRvU8zri2eNVkVBxCUH1Cthf3AEgRqY2kGva8gJ Wcqls3j7RztZzqFoL+wM9DNnz/OWuiyPAQIDAQAB
Epoch 2 C2s
103.251.176.34:995
103.53.44.20:80
109.194.50.231:80
133.242.156.30:7080
134.196.53.52:7080
138.201.140.110:8080
138.68.13.161:8080
149.255.56.242:8080
162.243.125.212:8080
169.239.182.217:8080
173.255.196.209:8080
174.136.14.100:8080
174.93.130.148:8443
175.100.138.82:22
177.230.108.144:22
177.242.202.30:8080
177.242.214.30:80
177.246.193.139:20
178.62.37.188:443
178.79.161.166:443
182.176.132.213:8090
183.82.100.135:80
183.82.110.170:53
186.113.19.171:80
186.50.124.246:53
186.50.124.246:7080
187.189.195.208:8443
190.25.255.98:443
190.72.136.214:465
191.92.69.115:80
2.50.4.159:443
201.199.89.223:8443
207.44.45.27:22
211.248.17.209:443
211.63.71.72:8080
213.14.166.152:990
216.98.148.156:8080
217.13.106.160:7080
222.214.218.136:4143
24.139.205.186:8080
45.123.3.54:443
46.100.165.6:53
46.105.131.87:80
50.99.132.7:465
58.9.168.7:990
64.13.225.150:8080
66.84.11.168:8080
69.45.19.145:8080
71.244.60.230:8080
73.189.66.63:80
78.186.5.109:443
78.188.7.213:8090
84.241.10.111:53
86.151.202.16:20
91.205.215.66:8080
94.76.200.114:8080
98.142.208.27:443
98.144.73.193:80
Epoch 2 - Spam/Stealer C2s
<not updated>
198.58.114.91:4143
213.136.86.219:7080
91.205.215.10:7080
Current Epoch 2 RSA Public Key
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMPLgcO0RQdJg/LTgiku57nH4KcLwHCx S0lbynOUhHhKjTnmENrMA2idUbK6hI0JRZtii9oJSlb3e5NZiCK+Qr/NB2u7ZNRc hG87aibm0ndS9xKDRXcmWwaQkF0PFuOHpwIDAQAB
Credits and Notes Section
WARNING - Some links may have been taken down shortly after I reported them to URLHaus.abuse.ch because they rock and report everything to ISPs as it
is confirmed to be malware. Additionally, this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
https://pastebin.com/u/jroosen
NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
I am providing them for your benefit in case you want to parse them to be sure.
What is Epoch 1 and Epoch 2?
What is Epoch 1 and Epoch 2? (updated 03/07/2019)
I have been tracking Epoch 1 and Epoch 2 since May of 2018. I called them Epoch 1 and Epoch 2 because they followed a different timescale of
payload updates and history. In short, Epoch 1 and 2 are two botnets with distinct C2 infrastructures with separate RSA keys for communications.
Epoch 1 is currently the larger of the two botnets(MAR 2019) and I think it is the main push of Emotet currently. Epoch 1 WAS a smaller more
rapidly changing version of Emotet at one point in the last half of 2018. Now Epoch 2 seems to be the smaller of the two since this time period.
This seems to change back and forth over a 6 month period. Despite having unique unshared C2 infrastructures, these two botnets have been seen
to move bots from one to the other and show similar behaviors seemingly controlled by a single entity/group. E.g. going on breaks at the same
time period.
Here are some observations I have noted since I have been watching these botnets:
- Checking a document download site from Epoch 1 will deliver a document that is different than what is being delivered at the same time on an
Epoch 2 document download site. Specifically, Maldocs on Epoch 1 will have a different document creation times and payload quintets than those
being delivered in maldocs on Epoch 2 at any one time.
- Document hashes change very 10 minutes on both Epochs while distribution/spamming are active.
- Document download and payload URLs tend to become orphaned as templates are changed out and they age. By 72 hours most are no longer updating.
- On Monday's of every week a new set of document download sites and usually templates to accompany them are generated early on
Monday morning/Sunday night.
- Both Epoch's may share a host for binaries or documents but NEVER the same directory. Eg. Epoch 1 may have an EXE in directory host.tld/A and
Epoch 2 may have a document hosted on host.tld/B.
- The RSA keys will change every few months so for C2 communications on each Epoch/Botnet.
- Binaries for Epoch 1 payload sites are different than the binaries for Epoch 2 payload sites.
*- Binaries used to change hashes every 15 minutes to 2 hours but now (3/6/19) are changing every 5 minutes on distro.
- Each binary has a hard coded list of C2 sites unique to the Epoch it was derived from.
- C2s are never shared between Epochs/Botnets.
- Both Epoch 1 and 2 seem to go into "break" periods at the same time for several weeks. During this time binaries are updated every 2-4 hours
via C2 to stay ahead of AV defs.
- Spamming activity seems to cease on each botnet at around 00:00UTC each day. It usually starts back up around 07:00-08:00UTC each day.
- Spamming usually does not occur on weekends and the Emotet team seems to take weekends off.
- The easiest way to tell what botnet a sample is from, is to find the payload and then check the C2s/RSA Key. HINT - CAPE Sandbox makes this
easy now, use it! Thanks to Kevin @CapeSandbox and @pollo290987!
- Changes in behavior are often deployed to one botnet and then to the other as if the first was a test. This has been observed for obfuscation,
spam template, word template, document type and even payload.
If I think of anything else to add or if anyone else has any suggestions, I will add them here.
Community Lists
https://otx.alienvault.com/pulse/5cddc7e4d7f990f5a20e2845/ - @SecSome
https://pastebin.com/XV3CjgD3 - @ps66uk
Credits
(OC from @JRoosen and/or combination work of the following)
Doc DL URLs - @James_inthe_box, @unixronin, @abuse_ch, @JayTHL @dms1899, @avman1995, @pancak3lullz, @pollo290987, @malware_traffic,
@0xtadavie, @Bitterman59, @devnullnoop, @Bauldini, @baberpervez2, @executemalware, @jcarndt, @gorimpthon, @Racco42, @papa_anniekey,
@Jan0fficial, @shotgunner101, @HerbieZimmerman, @Outkast_TI, @ps66uk
C2 info/RSA Keys - @unixronin, @CapeSandbox, @sysopfb, @pollo290987, @MalwareTechBlog, @ps66uk, @JayTHL, @malware_traffic, @0xtadavie,
@devnullnoop, @gorimpthon, @Racco42, @Jan0fficial, @lazyactivist192
Payloads - @bigmacjpg, @decalage2, @James_inthe_box, @MalwareTechBlog, @ps66uk, @dms1899, @avman1995, @unixronin, @pancak3lullz,
@pollo290987, @malware_traffic, @JayTHL, @Bitterman59, @devnullnoop, @executemalware, @Bauldini, @jcarndt, @gorimpthon, @Racco42,
@papa_anniekey, @Jan0fficial, @OguzhanTopgul, @HerbieZimmerman, @lazyactivist192, @TrendMicro
Spam Templates - @0xtadavie, @SaurabhSha15, @devnullnoop, @raashidbhatt
Special thanks to @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and
helping out with this!
Very special thanks to @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project https://github.com/decalage2/ViperMonkey ,
@digitalocean, @mploessel, @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch,
@urlscanio, @TrendMicro and @Virustotal for providing services/software no charge to this cause!
Daily Log 05-16-19
It's going to take me a little time to get up to the usual high standard and timing - @ps66uk
Still low volumes of emotet for me in the UK, not seeing many LATAM bots recently, predominantly European sources
Others have been seeing higher levels
https://twitter.com/executemalware/status/1129196428071452674
Emotet still doing Trickbot https://twitter.com/malware_traffic/status/1129122571075641345
General News:
https://www.sentinelone.com/blog/emotet-story-of-disposable-c2-servers/
https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta542-banker-malware-distribution-service
https://blog.trendmicro.com/trendlabs-security-intelligence/emotet-distributed-ransomware-loader-for-nozelesn-found-via-managed-detection-and-response/
REVIEW:
If you didn't already see it, there is a very simple way to defang these ZIP/JS attachments or links. Just change the Explorer association
to open .JS files via Notepad.exe. You can follow my instruction here in this Any.Run:
https://app.any.run/tasks/81503633-0f95-48d4-bd80-c83ec5c2b763
or you can do this via GPO. Here is a nice writeup on this process: https://montour.co/2016/09/group-policy-force-js-files/
I recommend you do this because .JS malware is very 2016 or even earlier and most users never need to run .JS or .JSE for that matter.
You can likely throw other extensions into the same configuration and @JayTHL had a nice thread discussing this here:
https://twitter.com/JayTHL/status/1126204098670411779
Email Template Report:
Generic templates on the most part, the usual body text listed below.
Review:
What we know about the threaded templates/reply chain:(changes are marked with *)
- Emails are sourced from once (or still) compromised users all over the world.
*- Emotet injects a reply into a real email conversation thread between the compromised party and another party that replied
to the compromised party on or before Nov 2018 until at least March 2019. (may be up to present) Also have seen emails going
back as far as June 2018.
- Now on E1 and E2.
- Now seeing German based templates that are essentially the same thing but in German.
- The injected reply is usually prefaced with the following:
"Attached is your confidential docs."
"Attached please find the wire transfer form."
"Thank you for your help. Please see the attached."
"Load instructions attached"
"A printer friendly attachment is now included with each email."
"Click on the attachment to open or save the printer friendly version of your report."
- Both attached and link based delivery of the maldocs/ZIP/JS have been observed.
- Attachments seem to be in the filename format of *_Month_DD_YYYY.doc/js so far.
- The link is customized for the display text of the link to show the real domain of the spoofed organization.
- These templates are pretty limited in run and not very numerous.
Link Regex Report:
Regex directory patterns - Changed one of the Regex's for E2 to pick up more common directories that were seen today.
E1
*https?:\/\/.+?\/(biz|com|net|sec|sec_zone|secure_zone|seg|US|ver)\/([DdeEgGnNsSuU_]{2,6})\/(accounts|anyone|logged|myacc|sign)
https?:\/\/.+?\/([DdeEnNsSuU_]{2,5})\/(ACH|Attachments|Clients|Clients_information|Clients_Messages|Clients_transactions|Details|Documents|Information|Messages|Payments|Transactions|Transactions-details|Transaction_details)\/([0-9\-_]){5,7}\/
https?:\/\/.+?\/([A-Za-z0-9]{4,5})-([A-Za-z0-9]{14,16})_([A-Za-z0-9]{8,9})-([A-Za-z0-9]{2,3})\/
https?:\/\/.+?\/(trust(ed)?|sec|verif|public|secure|open|verif_seg)\.([DdEeGgNn]{2,3})?\.?(logged|signed|accounts|myacc|sign|anyone|myaccount|accs)\.(resourses|docs?|open_res|send|office|rep|public|sent)\.?(net|com|sec|biz)?\/
E2
https?:\/\/.+?\/([A-Za-z0-9]{4,30})_([a-z0-9]{5,10})-([0-9]{8,15})\/
*https?:\/\/.+?\/(administrator|assets|blogs|cache|cgi-bin|css|DANE|Dane|demo|direc|Document|DOC|Dok|DOK|esp|FILE|homepage|images|INC|Inf|INF|js|LLC|lm|paclm|Pages|parts_service|phpmyadmin|Plik|PLIK|public|Scan|sites|test|themes|uploads|wordpress|WP2|wp-admin|wp-content|wp-includes)\/([A-Za-z0-9]{7,32})\/(\"|\n)
https?:\/\/.+?\/([a-z0-9]{4,7})-([a-z0-9]{5,7})-([a-z0-9]{4,7})\/
NOTE: If you get a lot of false positives, try adding (\"|\n) at the end of some of these after the last \/
These Regex patterns are to be used experimentally and at your own risk but they caught 95%+ of what I saw in link malspam.
Payloads Report:
TBD
C2 Report:
C2s DID change for E1 and increased from 74 to 77 combos in total. - recorded above
C2s for E2 were truncated at 59 on anyrun, I will try to get a full run later - recorded above
Closing:
TT
Sandbox 05/17/19
(all with fakenet and MITM unless spam/secondary infection)
Epoch 1 C2 run on 2019-05-17 at 08:15 UTC - https://app.any.run/tasks/bc7566f6-7853-4db6-a5aa-21b09da4e625
Epoch 2 C2 run on 2019-05-17 at 07:55 UTC - https://app.any.run/tasks/a3ac3901-2c3e-400b-8c5f-df8bcf14c530