Emotet Malware Document links/IOCs for 05/20/19 as of 05/21/19 01:00 BST
Notes and Credits now at the bottom Follow us on twitter @cryptolaemus1 for more updates.
Epoch 1 Document/Downloader links seen for 05/20/19
<none>
Epoch 2 Document/Downloader links seen for 05/20/19
http://24mm.site/wp-content/pzCNFBGPe/
http://9coderz.com/wp-admin/lm/lm/VtuGyUdGncbiGlUmipu/
http://agroborobudur.com/Kopi-kinanthi/Dane/s3i4woquxza009qhz8tngvpio_t1ndfy5c-8779808509668/
http://airconfidencebd.org/wp-content/hfrhybo35jocmt9rykxk92d9_ws2nvv-804221103844/
http://akoagro.com/wp-includes/FILE/fsrauTLdLBq/
http://alageum.chook.kz/wp-content/uploads/Scan/04263hkou_u9q456yn8-3307251785606/
http://ambil-hadiahpb.cf/css/Document/zvv6pzemxix7bkqkxcdven37o7v7p8_w4gnn62w-746465135047600/
http://anase.org/wp-content/Pages/iq89n0t5_yfxzp-070843819/
http://an-premium.ru/wp-admin/7b6ech5-svgat05-fnyjvh/
http://anpuchem.cn/wp-admin/2spx3-fd0s9jc-wxcnzqe/
http://appsville.global/wp-includes/6m7d5hr-jolf92s-dxvkhvz/
http://aradministracionintegral.com/wp-content/uploads/q4qzpxt57s_s90s0-562133435485/
http://atkt.markv.in/_notes/FILE/OCTbubxwjOUENnC/
http://azbeton.ro/wp-content/Document/vtjHcnFgqglXQqzqEkohRLJd/
http://b118group.com/wp/b0gk3v7xqs_8737y8-565189409480/
http://batdongsanminhmanh.com/wp-content/uploads/Plik/VSHZLPQDixgGn/
http://bcaa.gq/wp-includes/Pages/WoJUHWDOFhNKDkbe/
http://bestit.biz/suspended.page/esp/ZrnXUqWtuAfQZQRQSBUrFxEDGWGwvk/
http://bkr.al/cgi-bin/40zpx-msvngf-sstoene/
http://bkr.al/cgi-bin/64799-4om1s-llzcc/
http://blog.chewigem.com/wp-includes/esp/atHZLyKKQKvkNKho/
http://blog.dmtours.lk/wp-content/FILE/ruaXvPMVnjujCTjeLLT/
http://blog.laviajeria.com/wp-content/uploads/gsaujyf-ry06n-dssec/
http://bloomfire.com/wp-content/plugins/DOC/FoQojoiYS/
http://boilerservice-cambridge.co.uk/muun/esp/IhCsETyWZrho/
http://bonizz.com/DMC/parts_service/5eh2hsadldjems1kq3wlh403v_e39t3mz1ud-335687791589/
http://branner-chile.com/wp-admin/s5045m4kdv2yxwdez6m21k7oq5xe_smdxp-8989005213940/
http://bridgesearch.com/stats/lm/on6io5qd9ehr135ii96ueery_0zik0pyx4-290001900664299/
http://caddish-seventies.000webhostapp.com/wp-admin/4ur9tmys2h_75g6pp-73387052/
http://carlyarts.tk/cgi-bin/0hz63w-s3alcb-vjrm/
http://centredentairedouville.com/wp-includes/Document/zw020kmf76b9mjrb_75xfiu-31033395686/
http://chinmayacorp.com/COPYRIGHT/Plik/tjDkGOTPHOJ/
http://chinyami.co.tz/wordpress/i5q3jawbcp9_03ums9-7667848091/
http://chirurgien-ophtalmo-retine.fr/wp-admin/Scan/trrMBcbN/
http://cielecka.pl/ilum.pl/Document/f7djienirh5otecveisehl6oi_tn22d-108070575/
http://colegioadventistadeibague.edu.co/wp-includes/DOC/9qzrb8epfmvac53u0v2um9uk3vkkc0_llqs4z0i5-693725156265103/
http://congchunggiakhanh.vn/wp-content/lm/lmjQDFYXEANYNpuvmqbCJs/
http://consortiumgardois.eu/images/FILE/kzfYkwNCziLHPSLvhPexT/
http://coronadobaptistchurch.org/wp-includes/paclm/nrzbbwc9xordu0f1pojvw03um0v42_ucm04gi-866893424118465/
http://corporateipr.com/m9c/phutz63-w90emms-oukwmr/
http://crsigns.co.uk/wp-includes/rncjoymd9s61_ahrbb-46845098052870/
http://dag.gog.pk/wp-includes/PLIK/wndpifvajs/
http://daizys.nl/BKP-06-05-019/sites/HxflDlFmdMdWWyqIrRZHCGWSE/
http://dembo.bangkok.th.com/wp-content/uploads/ZJzsVKdzRzmVYxKMwQhxC/
http://diarioprimeraplana.com.mx/wp-admin/04t8ju-5o1m33-exgwn/
http://dieutrigan.com.vn/cgi-bin/g2udma1-tpa02r-feyuejx/g2udma1-tpa02r-feyuejx/
http://disperumkim.baliprov.go.id/wp-content/JAaJgGgshskUmKanMFIDcM/
http://door-craft.ru/9eui/wzAolMvPwpd/
http://dronint.com/wp-admin/tt4up7x-989rvv-uykocm/
http://dukkank.com/wp-admin/pr9ybbym351h_l9tw4u8-16488044/
http://ecommercefajeza.web.id/wp/tbkh1v-qjzzn3-wvojp/
http://economika.com.ve/email/paclm/dsbzhob4b8seeq_zl3zlxclc7-7223513679032/
http://e-controlempresarial.com/wp/paclm/02oyix5wanbeegnxcnudm_m9wha6e-6640018143938/
http://egplms.okmot.kg/wp-includes/mf75rsm-y1pndse-apjgbfv/
http://emcimed.ml/wp-admin/INC/beCmcstHEcYWSdunsNpV/
http://esquso.com/wp-includes/parts_service/zncgw5r30ehtff4w4_nvu506u-84590229280717/
http://eticasolucoes.com.br/controle/FILE/urjm9ad0e20oke9_yys4j-1833857769/
http://eurofutura.com/carloghio/parts_service/JYRByxVSfhNOpVVTASyyBhBR/
http://exenture.net/mySHiT/mhv8eiw14_tj1q863agg-191035311473/
http://finanskral.site/wp-includes/Dane/OpNAvrtH/
http://fitnepali.com/wp-content/plugins/vtt3uru-k3dfd-rfeqkz/
http://focuseducationcentre.cf/zayarlin/Document/bEjkgNhfyDTjBiljqJwhvIaDu/
http://ford-capital.com/wp-includes/uq78wg-g5po55l-edvmjx/
http://franshizaturbo.ru/wp-admin/gjPayGQZRuvZKW/
http://furniflair.com/assets/6mm2ev14i5rh5iu_1lvoybr-682572903489141/
http://gamingproapps.com/wp-admin/05wvu0-b8bm2-mujg/
http://gatewaymontessori.edu.gh/5r0x/INC/sor5jniomi1bw8se6reyjodziydt_dk6pdtw-885852414780/
http://giangdinh.vn/wp-admin/LLC/AmMcutbAcsZgoLPpvSBSFJFL/
http://giaoducvacongnghe.com/wp-admin/parts_service/s5nvqu5cu5xiavsm_tt4g6sg-9685915454/
http://gilmatas.000webhostapp.com/wp-admin/yznvck5zdjh_m6ewq2-12021270394/
http://gite-la-gerbiere.fr/lib/bf1vgc-kym3vl-moyonq/
http://graminea.or.id/cgi-bin/esp/dRfhYjIAqKiRZKZtpFcXvsFYUD/
http://greencampus.uho.ac.id/wp-content/uploads/vyeow9-3fruh-vbno/
http://grinq.com.ua/wp-content/qon3os-lg1iwjy-xwfjr/
http://grupoxn.com/wp-content/h2uy3p-uanu36y-qpfbabc/
http://guidafinanziamentieuropei.it/dup-installer/esp/whISpSbNpvwrdNdxBlTfEMDIUKOs/
http://halcelemates.com.ng/cgi-bin/qspgn-miqx4yz-hudi/
http://havistore.net/wp-includes/wt6adv7-xupjzl1-sidkes/
http://hestoghundehuset.dk/wp-admin/mPKrLBEEMiHVhKYpHeEc/
http://homeedge.co.in/wp-includes/Inf/3h8bwmc8sg8bhgmb6oajbqfth1lw6_u963i9ar-5947272013/
http://ihcihc.org/cgi-bin/DOC/JQbRvcTvKHPxixBpVIs/
http://itcshop.com.ng/fasttrackcash/Inf/qrjYUODRuCg/
http://jajiedgenet.name.ng/wp/DOK/x963ssn0_skxizz6j-099060478701887/
http://javed.co.uk/wp-admin/f3pafo-bac855-vrgxw/
http://kauzar.com.br/wp-admin/9naj-wg0geu-jvhkq/
http://keffesrdf.org.ng/dir/jh2cg-cxh72-ocnv/
http://kgdotcom.my/wp-content/e6k9v2v6m0_tfl09azf-288153120/
http://khusalrefrigeration.com/wp-content/i63i-fc189k-plkiv/
http://kipsoft.vn/wp-admin/uXHCWQYIsUwy/
http://krasotatver.ru/wp-admin/n53x-uxotfh-dxkbol/
http://kuramodev.com/wp-admin/esp/2lcrz1uaq99jqg6x_btdci7az-5511668994948/
http://les.nyc/wp-content/uploads/zuxbjd6mgcbofmz_1lwfz-96882379608/
http://lesantivirus.net/css/esp/LvxnSHShDjxTiArIvTtXhDOGX/
http://lizerubens.be/wp-admin/parts_service/IWuXVRHMja/
http://lnemacs.com/updatecoreo/paclm/QOqcLyIDnqskRUPrQtAY/
http://logicsoccer.vip/wp-includes/PLIK/DyyyskgffSivMY/
http://luisromero.es/cafe/LLC/d02zuso2z3r0o07_uge4o-3011321187376/
http://luz.ch/fuurball/paclm/tayiwtdw9gvgb21rvi815umr4_l1k2tafz-916097634479/
http://lyvestore.com/wp-content/uploads/nsm60x-6fzovcr-gtkxgtl/
http://manorviews.co.nz/images/paclm/mcpf0o3f5me1zh2x2xarr5c_c2kog9qp6-11133861/
http://marbellastreaming.com/admin/3b1zwi824hbk1pe2coubcbob_5nlp4bh-14804269498/
http://markantic.com/wp-includes/LLC/oXitshkRMjCSa/
http://markelliotson.com/sites/k47y5hwtw8h_aqzp3l-449059094/
http://masana.cat/pix/parts_service/wBwhQtYEVIEpsMPtRsyl/
http://mattress.com.pk/wp-admin/Inf/nyKIfXKe/
http://mattshortland.com/ozXYuMOiYlguFF/
http://mayupan.com/css/Pages/jamcysmfx_d379k-789309688595/
http://mazzglobal.com/51655165g/sites/zuutn9zkjzzsbhffa5d0fpvaw9z_jzv2j6b-263923452810966/
http://mentfort.com/wp-admin/r4g71c-hi527kb-verjplp/
http://mic3412.ir/wp-includes/LLC/hsnp7lhg0fbqhj1dph7c4fmspwvz_r66ocyu3-858421356/
http://mickreevesmodels.co.uk/micks_chat/INC/KfNJTKdmSYiueWhbqeYVzigbOaUj/
http://misbragasusadas.com/wp-admin/paclm/okb30cee6xhg1cbi279ssznmewh88k_mimhl-536403870815322/
http://mjeas.seas.num.edu.mn/4jew/Pages/DddiRVHssfjb/
http://mjeas.seas.num.edu.mn/4jew/Pages/DddiRVHssfjb//
http://mjeas.seas.num.edu.mn/4jew/Pages/DddiRVHssfjb/\/
http://mmgbarbers.sk/wp-content/hmESzqKrW/
http://monsterz.net/blog2/FILE/fCuLIWGTqBVwcPDfUQRVodcKJxEmI/
http://m-ros.es/wp-admin/nfbyibe-l6cpr-wvgd/
http://mtaconsulting.com/wp-content/Pages/ntq8h5pnhzsb_c98jimy0lh-77243452881/
http://multicapmais.com/js/esp/jLOgrxpWZ/
http://mwvisual.com/scfv/bYofxzLIBlDANzJQJhwNsOgzvfU/
http://myofficeplus.com/Document/zJLRnsotorjEVuGxH/
http://ndm-services.co.uk/DOC/gsnhdhup7vp8u3onxtqzbn_mso4v7e-4060977015/
http://nforsdt.org.np/cgi-bin/LLC/rJhJsoFerEAbFVKOgJweNESInf/
http://noons.ru/wp-admin/DOK/mpmd1xmzhl8ijhcvdh2d40r249a_07m8onqzs-192022041933115/
http://novaoptica.pt/wp-admin/rnsoyvw-8y64rg-ppgc/
http://ovakast.com/wp-admin/zbb9q-if7z3-xncfy/
http://paywhatyouwant.io/cgi-bin/INC/RycXLpkwbaXNzSdOQYrWlxXoi/
http://planetkram.com/cgi-bin/FILE/lydb59kvj94x2qxaf0lo_95s38g-70862676621395/
http://priatman.co.id/old/gmvor-qkevv-kmjsj/
http://priatman.co.id/old/gmvor-qkevv-kmjsj//
http://print-consult.be/ResponsiveImageGallery/61p114nlua4w2_8mcik3tixr-083144052/
http://qwelaproducts.co.za/wp/voo74gu-yc23wv6-eysshi/
http://ramun.ch/infa/FILE/lJvrIxQuUlhOCEvbCUdnSfzGi/
http://rociton.com.bd/wp-content/parts_service/f40sb8gz9nnsppjgt7tclxs_gq8nvjogop-96874256/
http://sanalkeyfi.com/wp-includes/Dok/qauowl45eharem4bo5i0_9vtspc-07835495394/
http://sawitandtravel.com/cgi-bin/4xaib1-5gzkqtk-ncyncpf/
http://seabird.com.ph/html5lightbox/e49fc-v1zh9o-zrdsp/
http://servicehl.ma/wp/p0fc-ukirhb-npri/
http://sexlustoys.com/app/heotbm4-5ea4e-qbhgzg/
http://shadzisti.ir/wp-includes/bka7-9lmu27-vhofm/
http://skilancein.000webhostapp.com/assets/INF/BztYZLgGvYARNnbzPsTRtTUGJy/
http://slppoffice.lk/wp-admin/cjr9zzp-rf7yx2-rbvxv/
http://smake.in/wp-admin/4ssh779-i04deq-vsarad/
http://smartschools.co.zw/wp-content/f8sy-k74kuj-xsaidw/
http://snowballnaturals.com/cgi-bin/gsai-g663ics-kgisfcn/
http://sofiaymanuel.website/wp-admin/i4zx84z-shgopmw-trhyisa/
http://sreelabels.com/wp/x1zu-9l83g-fhhdw/
http://steventoddart.com/cgi-bin/78djj4-9rsc3m6-rwtqz/
http://subkhonov.com/LLC/Document/qWrWCtrmDmBwslubhyvcaBfWhiQX/
http://sulkanvariasimotor.com/cgi-bin/Dane/QdSsDaRPbt/
http://supercopa.cl/assets/esp/zugnnetz0suvx017j01zwr3_x33y9-0543142109882/
http://swansgateshoppingcentre.com/wp-includes/Scan/ok6ulsnds83m0s_6gz9lcuo8c-605978940826/
http://teknikkuvvet.com/wp-content/gmnaj-28u4pg-jpec/
http://teknisi-it.id/COPYRIGHT/FILE/VppKShnPdkhRjUEXEeooCIIAhwbUDA/
http://theoptimacreative.com/backer/DOC/lzdtnRntp/
http://thptngochoi.edu.vn/xxattl/83dp4mk-3qxhlx-nvjq/
http://tollfreeservice.in/wp-includes/Scan/a2pifq3p6qv3z9qrh_8g7y3a-09960395/
http://toorya.in/wp-content/csbluri-69vjyo-gvib/
http://trademarkloft.com/wp/LLC/MRWfXNPWcWfmIEtA/
http://vinyasayogaschool.co.in/wp-admin/Pages/srSdAHPKkqZbXQVsEkPcjTBAUxFM/
http://vnmax.net/TTTN-Green/7yurlqz-imfjsfr-vcha/
http://voctech-resources.com/cgi-bin/Scan/yygznlklj5_donv8-334023278047356/
http://wpstride.com/wp-content/lm/3oszpkgom9175aa_8danqb3v-845337550891852/
http://www.912graphics.com/cgi-bin/btqbghdo7eu6ykg0zzxjohdj7_j9gac5n-2948099525/
http://www.cmg.asia/wp-content/uploads/DOK/bkmrGzXzIEZODqVCVwBTcQiNn/
http://www.eratoact.de/wp-admin/xVJZSsilspLhyBCBboC/
http://www.iowaselectvbc.com/wp-content/esp/ESCejHjQIz/
http://www.maria-hilber.at/wordpress/y0og46-pud86sj-qmdnev/
http://www.nucleomargarethferes.com.br/wp-includes/3lte794qnmo8qdk8p_cbdl68-46700341/
http://www.vidalgesso.com.br/wp-content/parts_service/0dxp3gqybi_khdxx-76852614/
http://xpelair.com.ng/wp-admin/uwenu-wdun3-aurp/
http://zhas-daryn.kz/toreshim.kz/LLC/ndpZCyBJjxPtWoCjvwxzqByfXVQsuT/
http://zipzapride.com/wp-content/4auq0kq-t4jx2-nzaey/
http://zmeyerz.com/homepage_files/paclm/ATMrNHzXJjfIFDTQmcCNmiPHPRUXO/
https://blog.laviajeria.com/wp-content/uploads/gsaujyf-ry06n-dssec/
https://bloomfire.com/wp-content/plugins/DOC/FoQojoiYS/
https://cargokz.kz/wp-admin/2mxjeu3-75keej-yodnse/
https://centredentairedouville.com/wp-includes/Document/zw020kmf76b9mjrb_75xfiu-31033395686/
https://conjurosdelcorazon.info/wordpress/Inf/1hpu9k3q05djyl3gq5722_d7u08f-5929583887/
https://discoversabah.my/wp-content/Plik/PASGCJIBOXFgLSfvWGkDq/
https://euma.vn/yfbh/pvhwwa-xg74b4-bknrdh/
https://exposicaoceramicaearte.com.br/cgi-bin/Scan/cuhgcn4fje3ftup_x82vkmk-064904430823956/
https://fitnepali.com/wp-content/plugins/vtt3uru-k3dfd-rfeqkz/
https://hlclighting.ca/wp/Scan/oylkuxb7d3zafh4_yyzho55c-730553405724/
https://kamasexstory.com/wp-content/y2o6h-vnm6vw-ehxybl/
https://kbolotin.com/wp-content/w4bp-8yhaza-zqxtij/
https://liantrip.com/x6sm/INC/k9iovbtzedsa1ptk3j_9gqdpmgi-906696776/
https://longokura.com/wp-includes/Pages/RphdkFQwbj/
https://lr12sp10.org/wp-admin/8nu0md8-38qsi0-iqme/
https://luppie.eu/icon/Document/FIFEgoVJlq/
https://marin-ostrov.ru/wp-includes/DOC/bOlcIxbcgMoMfhfz/
https://mjc-arts-blagnac.com/wp-content/Document/qein18j18_d9y843jj7-3116175961/
https://placo.de/typo3_src-7.6.11/3jo2nmg-58mws-pospv/
https://proxindo.id/wp-admin/FILE/vgsupeyhnlc8ka4tbdu72wde7khpa_1ganzrzry-05828045/
https://ramun.ch/infa/FILE/lJvrIxQuUlhOCEvbCUdnSfzGi/
https://srgranel.pt/blogs/LLC/yi2j7x85stn1at_4dvhbnr-47282747/
https://thethaoams.com/wp-admin/k8xc-vr0ue-ryktr/
https://topaqiqah.com/wp-admin/iwrivz-kuvph-szzyiic/
https://www.iowaselectvbc.com/wp-content/esp/ESCejHjQIz/
https://www.kleine-gruesse.de/wp-includes/Document/laWittBVpszALuZbTWOvWHRk/
https://www.mulard.co.il/wp-content/nyfntba53q421e5_w8kt7s9ow-26401916920/
https://www.sseg.ch/wp-content/ytn7-eh9d9a0-jphxofx/
Epoch 1 Payloads by Document SHA256 - All Times UTC
Creation Time 2019:05:20 18:19:00 (Attachment Only - DOC Based - ENG - 365 Blue Box)
SHA256:
90ad84b36bb06c3b8ee5d356c3ede4116a25b75d3473ef03e6cc16dd15fe8beb
http://qone-underwear.com/wp-includes/4p8n17709/
https://kobac-kawaguchi01.com/wp-admin/wic5/
http://tajdintravels.com/cgi-bin/9b40471/
http://bombafmradio.net/_vti_log/5hu7x820/
http://soprab.com/cgi-bin/blnnz83/
Creation Time 2019:05:20 12:40:00 (Attachment Only - DOC Based - ENG - 365 Blue Box)
SHA256:
72395c97b8790a56a8f763c174b0870c76401eb81cd802784c326dc2b9bffa8f
495cbb79182be997e8a7f3729a63b711c3ba5e44e802c7e2057ba7d59033238c
e2a4749668e5f74d4bfd4491baca23363c25a53c1b0456ecd58ddf5238f725ce
96e9250c6b0153f6de8096cd972302e1779a5f6d2eb4c715a2177b873cdc2ef7
57c73359315ef3e5f96915cc4c32774a2875c014f7bc9d8aa7ae2bebed588ab0
http://seogood.net/wp/b4pxre6304/
http://agro-millenial.com/setupconfigo/0st9376/
https://proyectonoviembre.com/V2.0.0/7ouvu47/
http://royalamericanconstruction.com/fwmihe/04qf6uy0/
http://farodebabel.com/4xhzvd7/nl12/
Creation Time 2019:05:20 06:20:00 (Attachment Only - DOC Based - ENG - 365 Blue Box)
SHA256:
ab32f1046ef9a51b26e413df606afd4811c3655c665220060f72bdc2c23d4896
599ecf8cbea461292c86d672b778fcb5dd43bf83c69416fb25e4ca83b37461b8
eb1c76f474a6ddaf3430837b434e4a4b53ca9349c9ea280f2093e684d64b9bf3
383d09e70ff1eeb4237ad4b9191a4163ed92fb1bec03ef4cbc7c09ebe471827e
78d4a89f5558172a6369de73c4a4fcaeaf6658f40a6cbb52d3b703d58c15b0cb
3a3a3ce662207abed7142ba0a3fef5ed404fae0da85cee9150bc72f84a44922d
a4d0f1eaaf69fd8eaec8340cc4d82b543b039525f45edf9809f91df272a3ee13
7a1aed13987b3c25c14e41c0cb99b1e955069eae5dd8c40a744ea3ff3e0f35b5
6457f95bd35161fddc97a87fc16c9f4c2bd0d5f412dd62ed6d3d209ad3d457c4
e2a2ce0b605642f4f99516714c345a594dd348d758a4cb70c2efe6418de89ba0
232ff27ab72fd11c77a982e98cdf1936888a5c86b49a3ba9ef8bf74a9ed11e09
8f9c24ec7356f074f6296cc93d9a2b801735be454b81051e90f52a3507cce8eb
61f00daa004945fedc680f182c01b0ba543c9a2383361fc0812a716fa1c95295
dc7451322a2c3ec5000a251fd69ee78f8a9d9df77ec14f2d9671f02917fa4617
64458368d954b71a4d1dda78684d2a1d0f37fa4104c5d845a08e173e4238b7c3
e352a2d273403fe35b6c1b9331dbfb1dc21c52856f1e928d33647430f0696212
2a467716313a55305130586d623247be7ba78a2bc75cb074dbb2c8da4c38678e
2f87ab37797dfe5f40d180808dd55d27633336885c1da8679b8a43410c573d8a
faf7082318955d662b2e456ed89481bb1ef089d039668646f86c4ac852b27353
http://tenantscreeningasia.com/wp-admin/zpjdvy17/
http://bystekstil.com/wp-admin/zm6481/
http://eric-mandala.com/wp-content/fj68724812/
http://avitrons.com/uma-site/isi2/
http://developing.soulbrights.com/wp/s445/
SHA256s for Epoch 1 Payload EXEs seen on 05/17-19/19
886ab67d0704721367c7ccd41585514e999baf4fe1114779db6d981efc85672f
e5be3c0b66d7c3c2986202faf860f4cce41892db64c91e8322a57c2e4c23ecf0
315b772f4cee9ce22ae23a59a0abb252675aef655ba3e3d06a2f3b282d80768f
Epoch 2 Payloads by Document SHA256 - All Times UTC
Creation Time 2019:05:20 18:13:00 (DOC Based - ENG - 365 Blue Box)
SHA256:
b17213bfb8a22ff2a198592df2a0baf8d02f92eb3ec7b3699c5f292b5f6a7a04
2f57c6b1c6febcdcdc135699a6acbd901e3465d20a0d37d6d7f259613546da31
c204f878c7b3aa06ee3fce9b8fbb6ee3f8397577af54ed2a6492283253b35eb1
283d6dad28c745cee59164b405b3521c144aad24ca59b7c867b87399d72add8e
8641718f775aedb364b51fdf2c2d18bd477078da7b6f821ffab2d158ebbc0101
46de4a22e963ff2f3a810faf1c0fad46c36b32705c54d51408274d18f6e686b3
9994c27bf6623c68a9732076d84e0e4a9221db5d209f3490d5f4b47a7007a4d1
87680943843072a4bd669fe8edb183916c0ee5ed9d403d4a463123965e610c25
619def5ec3fd82bee5b661750a1309a073fec8799536af4fc64ef6f8c3a98979
3587b931d94a58155bbd5e7e27977f51cfbf9aff4291362ffb6ea4c94fd3b5c0
6523b344eb8dd9b3f099f0aa25fa2d9bfa16d9c1caa56695204091791a88b7cb
b5056a4428f82d032102daf7cbe6f648d82ea7724293af72d1788dd8e5e74302
e7aefcf97bad9e796337a954117569c61e8faf1ebfb08839199604b9aad34305
0576aec423863e025d8c2cea9119882a1882d99724e356afdf7b9c2d96ccb3b6
2de18891f8d93226dc5df80343e0f759542f14342426d09db5c31d3bcf630e9c
7f4b3711c74f79f401d843772214f41da7b8d90737249dea3f69db59226c6aec
a9910865fe8d8bd01e4e10342a490f37c0823e3a9b43443eea93170fa8e47d5b
86a158f2e24d60c37abde13925c2a99d891c76880af6a41ed503de7294e31ab0
38ef8196cfaf9f09cd3ff08df840ffdbfaf1c2cdbfab3e18a5f24c45dcb8a72c
aab4a251bf1690bf51760aa99bea2076a85b26aed84344b551e6d314fda3975a
cc3f852315a47cc2a78b773579fc7eec09623945d33f2d0f9a311690e641a4ea
b589acfd6333605b36449a131b0c626a808ecc6938c38200184e6f2376f7fa56
00d8178a8cf260df4942ef4cf03c3f4f11d9c034a6a181cc6e7806b255758e04
357d596ddd8bb719202cfbc892d55f97d9b06bf86ca37ebe59fe805f256ce015
e328f1136596f48a867eb7c36c92fcedd80584cef699b77e314e027510a6e8bb
42f3770abd98e2f6fcd9e9dcfd7aa71a6693fb67c69e993843a512cf58b14a30
efa7e27185172a8344eac0c1f21273672595d9324a8fa9d086aa5fe94ecc2fc7
b1a6e88834682261eb79f27a381f6bbf045a0d804ee8dce51fbddc969ca2d8bf
41896e7f04ae54fa3d4357388ec0dec407c22ec1c8a8c57a3e625a766db6813a
7dab121b27a98dfaba72396c5e9a60192f8227d91ddcaed0d893889cbdba0298
4c70edc94e025f1a4b012f6e926126336f841b336db7c1fea476f0757366d852
bb1c8d0d78ebf2a71952397d277bb1641232f101af3d5a8b8b2a55f72ff5f7e6
9630e97dd14ee791ffcc2faf3c333e3d19145f087026542ef5ae5a240d69e1f7
196d741936acab6ead7620a52119e0cc64b6855aaab814026040b25c9296473b
https://overcreative.com/css/shecgesia_cjtf7s6-2586658720/
http://antonresidential.com/wkdrlk/papkaa17/NujUJetNy/
http://gawaher-services.com/nngb24y/vXGApWUwd/
http://thepropertydealerz.com/cgi-bin/5ze7vs_tgt6e3k-5/
http://guimaraesconstrutorasjc.com.br/wp-content/NTlTZtAUB/
Creation Time 2019:05:20 12:33:00 (DOC Based - ENG - 365 Blue Box)
SHA256:
e130a889b149e876b20a3fbd1229d3046dc4389cec91b305110ad34b3d1f9437
1bb372951c973ae6a676d5cfb6d6255c5046a4487de3f2c434e67033276d4096
db8a9012a390b1544d849d02dedfb56c572bea38f1ec7ab3d9051a275794074c
48236d5717abdb07bbfb9566a5a9cd723b2caf834de4301a0b0a979165a053eb
b714b36b234f97e0ff98272689a78bd8321b9a1498d1eccc44972aaeb755df42
f22da8acd690ddf140b2f21e5377bdd30ba85fa25986ffa999d00ba33359927e
29da17543f235e1b14db2dbda159ed4ef665d1bb71a80ff3ac09e4f350cc64f9
921fb28561275036e0c28871e490ee48aa1cbd637489854121dd781959cf3f3d
fdd5e796770981d0d7307cff882d7912353355aa6e34d03b3ec17bec44741957
83a5c771fc83d7e8de55f32089e031a80c808cd903950311b0bff1103b96db7b
33a4c297c96c8e0221d6ec50d18aa5305dfcc92776eeb60c0d0c19d0ecb13976
d8e26ff205e06a0681195653d61bcd5629807e0febf5df8617ad3f72bcc6c04b
ffa40a4130de3297baa84b22501ff6c24a862a446257abac41132cdfe42d3de8
8578d981b824c9ce244f8950f55e709b0a2fdf105d426f5faede3b92b2b4bc25
c4548a16dbfbb5fdd5172d70bc93ea07af48b0301ef25ad94b72d4feb16a4488
07e2bde9b08db773d50209807557afd29751323799d3e62bf17afb674547c6c7
bd6c197ad44457a5c4c73e157469bbd6c737b8ce4867ecbbc8aedbf3b73066aa
5713bb6bad1348b4e4c031673b4a1b028ddd2981f355eff51135f3307a4dec99
b0afa6464395b631fb978a358a9e890a9187a88f26975b2f85b84f0db8ea838f
4ec927bdfdb5ca162d170e3510ffdca15a839529fcde333a2caac286631e7ddd
f44d4f34c647cf685fb3cf8c1fcea4de77b15b00f1b810f37383243f8d6a3b72
2681fe5afa78ad3ca3edec710e9eb01e50b58c39f35d413415053018b52e04dd
ff7bb28da6878c1d0bb3a72782d355fd917c7df53638fc995f7528d8a65da5ac
b419db93d5dc35652c6f34cd52f5dc2891397d66c8a421f802abf2067fdf3cc0
e31a818e5f32462630808e6fe5910eb2b57c04f444ec5be7f290ae00eaa9b926
fc696a3b641ba9516c85f48bcb9b2b68ccc8ebb3946acc8ab7fb962e328ab359
0eab3af784eeeaaf4f10c2a98a7dcd2a15c394e02b57c58a1ec271e1de1b70bd
195db4dc248fa14b23fbcf63f959289a822689f25bda203e521cfa0b11951936
70815321613db330b58d461f800d0eb271c09bdd10f208bbc01cb82d349d74cb
fb50d4bf2260c45ee78c454a3143c1268b9099175feaf6febaea038df1040517
6b3a441f6c646464a804220fe4ef75f78744a666177ff8cefde90749e2581d19
4ee136ec6b4ad8365d472457b32c3eef46f3784edab4a3d3ffe20494d6a38f7b
20fba937d09e7ddae71abc240620ef9530615e351f9b47acca46e014e873dd83
fbdfb2cded799f1f778c4394d9e708695881636323461a4fbf29267601919aab
http://tongdaifpt.net/wp-includes/hylKLdJWOh/
http://e-salampro.com/sasnekat.com/awc2601b_kf95uldy4-36/
http://filto.ml/cgi-bin/aMqquEsQw/
http://qpdigitech.com/wp-admin/xmt6ku59pl_86bt8fv-73919803/
http://omestremarceneiro.com.br/wp-includes/cgey_vp867s238-17/
Creation Time 2019:05:20 07:57:00 (DOC Based - ENG - 365 Blue Box)
SHA256:
cdc216f48ec57a6c822139b6534330e8feea8b7bc83ad85614fa52ca372413c2
1a6998feaae1494f19fb32974d120238e95898ff794ce381575382b4726bfa88
bad3fcef0f0273a00991a0974805591f8dfd6e7bbbfb2b5d985c2110e72b8a73
ee7eeb0aa1f4c91f1625cf75ed82a745e2b4785d2f9fd6bc181e2cf45dabc6d7
3963c8a59d23d0ea475ebf9b02838309841cb740e093ee9c3f7d392ca4bd63fb
fda0fe2182c97b161f56da2d76e8eb21a39e66483e0419726dcfdc2889c521d4
5eb312406ba2bcf9bd4f0ac5e8531ef13e26c67fc49e82f1468bbcbafa8894cb
a6a7d60880d6e5eaac0ee87edfca1f187cd002f7f3f3c37668f401d7f3ff33fa
281546d6de344a2441e0e834fc955847a0508c912df7e433107a151a3c74fc45
584c92b6baa5b3f032fdd06a9774cd85579acfc5a92229de44f853e6d12a24d3
6af8af05389a1dc356e8c5edccbd10149edf3a0d88f4c3db0a94b771e18d0dbc
72acb065ab44edb2373591d3edc8e9df9cf830315f8caadfb5b4e0095fe4176c
29cd670e6844fcd65447443c8269cc46f82c744951fc31f73bcab64dbe18bdff
c5a0b5b5dd17588a8d9ac64d9fccabdebadc31b749534b1e2745fb69f70f958d
http://saminprinter.com/wp-includes/yrkvm4vyy_ybidb-43745207/
http://santuarioaparecidamontese.com.br/wp-includes/7jn9p7_qou49bjodx-33953/
http://serwiskonsol.com/wp-content/JEsfYuiPMv/
https://ppdiamonds.co/wp-content/m45zv037uc_nent85daai-282067/
http://aworldtourism.com/wp-includes/1fcjc8_m4lnj7ffng-755100/
SHA256s for Epoch 2 Payload EXEs seen on 05/17-19/19
8274749a1f4910e88944bc47d74aa0760cf6eb24712fcafbc0d744047a9839e9
f76fd135b6ca6580ab454f45bb27b67b55ef30d24e5e4b2423d3d351243fdd3a
8b6d9742b2cde735b64b68e9a5cc99a4c7caab09a036aa9cb418f761a557f3ba
360fa23df3fecf60395efec34e214793a202edee19e28647c2fb1cd86d3e3b47
Epoch 1 C2s
103.201.150.209:80
105.224.171.102:80
109.104.79.48:8080
109.73.52.242:8080
111.67.12.221:8080
134.101.222.153:80
154.120.228.126:143
159.69.2.128:7080
163.18.23.242:80
175.107.200.27:443
181.110.239.26:80
181.143.101.18:8080
181.15.177.100:443
181.15.243.22:80
181.16.127.226:443
181.164.227.212:80
181.198.67.178:20
181.199.151.19:80
181.211.130.109:443
181.29.101.13:80
181.31.49.178:80
181.39.134.122:80
185.129.93.140:80
185.86.148.222:8080
185.94.252.27:443
186.71.75.2:80
187.178.9.19:20
187.188.166.192:80
187.190.237.104:8080
187.242.204.142:80
189.196.140.187:80
190.113.233.4:7080
190.117.206.153:443
190.123.35.82:50000
190.13.211.174:21
190.147.116.32:21
190.147.12.71:443
190.180.52.146:20
191.97.116.232:443
192.155.90.90:7080
196.6.112.70:443
200.107.105.16:465
200.127.0.8:80
200.28.131.215:443
200.32.61.210:8080
200.45.57.96:143
200.57.102.71:8443
200.58.171.51:80
200.80.198.34:80
201.251.229.37:80
203.25.159.3:8080
205.186.154.130:80
216.154.222.52:7080
216.98.148.136:4143
217.113.27.158:443
217.199.175.216:8080
217.92.171.167:53
218.161.88.253:8080
219.74.237.49:443
219.94.254.93:8080
23.254.203.51:8080
31.179.135.186:80
37.59.1.74:8080
43.229.62.186:8080
45.73.124.235:8080
46.249.204.99:8080
51.255.50.164:8080
62.75.143.100:7080
66.209.69.165:443
69.163.33.82:8080
72.47.248.48:8080
79.143.182.254:8080
80.0.106.83:80
81.143.213.156:7080
81.183.213.36:80
81.213.182.115:8443
81.3.6.78:7080
82.226.163.9:80
85.132.96.242:80
86.155.233.74:8080
89.134.144.41:8080
91.205.215.57:7080
91.83.93.124:7080
Epoch 1 - Spam/Stealer C2s
<not updated>
61.92.159.208:8080
104.236.185.25:8080
50.116.63.9:7080
Current Epoch 1 RSA Public Key
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAL9KRKWqcld40xbUZ6hRh+fPNkgJe7K+ 0y1rR0UFqc2SBmnyoR/2Ctd+8MRvU8zri2eNVkVBxCUH1Cthf3AEgRqY2kGva8gJ Wcqls3j7RztZzqFoL+wM9DNnz/OWuiyPAQIDAQAB
Epoch 2 C2s
103.53.44.20
104.236.206.44:8080
109.194.50.231
133.242.156.30:7080
134.196.53.52:7080
136.243.177.26:8080
138.201.140.110:8080
147.135.210.39:8080
149.255.56.242:8080
162.243.125.212:8080
167.114.210.191:8080
169.239.182.217:8080
174.136.14.100:8080
175.100.138.82:22
177.230.108.144:22
177.242.202.30:8080
177.242.214.30
177.246.193.139:20
178.152.78.149:20
178.62.37.188:443
178.79.161.166:443
179.32.19.219:22
181.129.30.82
181.175.142.212:990
182.176.132.213:8090
182.188.47.206:990
183.82.100.135
183.82.110.170:53
186.113.19.171
186.4.167.166
186.4.234.27:443
187.189.195.208:8443
189.154.42.168
189.209.217.49
190.145.67.134:8090
190.147.53.122:990
190.25.255.98
190.25.255.98:443
190.72.136.214:465
191.92.69.115
2.50.4.159:443
200.21.90.6
200.85.46.122
201.199.89.223:8443
201.220.152.101
201.238.152.20:465
207.44.45.27:22
211.248.17.209:443
211.63.71.72:8080
216.98.148.156:8080
217.13.106.160:7080
222.214.218.136:4143
24.139.205.186:8080
41.220.119.246
45.123.3.54:443
45.33.49.124:443
45.55.201.204:7080
46.100.165.6:53
46.105.131.87
50.31.0.160:8080
50.99.132.7:465
58.9.168.7:443
58.9.168.7:990
59.103.164.174
62.75.187.192:8080
64.13.225.150:8080
66.84.11.168:8080
69.251.12.43
69.45.19.145:8080
71.244.60.230:8080
73.189.66.63
77.56.253.112
78.186.5.109:443
78.188.7.213:8090
84.241.10.111:53
85.104.59.244:20
86.151.202.16:20
87.106.139.101:8080
91.205.215.66:8080
92.154.101.154:50000
94.76.200.114:8080
95.128.43.213:8080
98.142.208.27:443
98.144.73.193
Epoch 2 - Spam/Stealer C2s
<not updated>
198.58.114.91:4143
213.136.86.219:7080
91.205.215.10:7080
Current Epoch 2 RSA Public Key
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMPLgcO0RQdJg/LTgiku57nH4KcLwHCx S0lbynOUhHhKjTnmENrMA2idUbK6hI0JRZtii9oJSlb3e5NZiCK+Qr/NB2u7ZNRc hG87aibm0ndS9xKDRXcmWwaQkF0PFuOHpwIDAQAB
Credits and Notes Section
WARNING - Some links may have been taken down shortly after I reported them to URLHaus.abuse.ch because they rock and report everything to ISPs as it
is confirmed to be malware. Additionally, this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
https://pastebin.com/u/jroosen
NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
I am providing them for your benefit in case you want to parse them to be sure.
What is Epoch 1 and Epoch 2?
What is Epoch 1 and Epoch 2? (updated 03/07/2019)
I have been tracking Epoch 1 and Epoch 2 since May of 2018. I called them Epoch 1 and Epoch 2 because they followed a different timescale of
payload updates and history. In short, Epoch 1 and 2 are two botnets with distinct C2 infrastructures with separate RSA keys for communications.
Epoch 1 is currently the larger of the two botnets(MAR 2019) and I think it is the main push of Emotet currently. Epoch 1 WAS a smaller more
rapidly changing version of Emotet at one point in the last half of 2018. Now Epoch 2 seems to be the smaller of the two since this time period.
This seems to change back and forth over a 6 month period. Despite having unique unshared C2 infrastructures, these two botnets have been seen
to move bots from one to the other and show similar behaviors seemingly controlled by a single entity/group. E.g. going on breaks at the same
time period.
Here are some observations I have noted since I have been watching these botnets:
- Checking a document download site from Epoch 1 will deliver a document that is different than what is being delivered at the same time on an
Epoch 2 document download site. Specifically, Maldocs on Epoch 1 will have a different document creation times and payload quintets than those
being delivered in maldocs on Epoch 2 at any one time.
- Document hashes change very 10 minutes on both Epochs while distribution/spamming are active.
- Document download and payload URLs tend to become orphaned as templates are changed out and they age. By 72 hours most are no longer updating.
- On Monday's of every week a new set of document download sites and usually templates to accompany them are generated early on
Monday morning/Sunday night.
- Both Epoch's may share a host for binaries or documents but NEVER the same directory. Eg. Epoch 1 may have an EXE in directory host.tld/A and
Epoch 2 may have a document hosted on host.tld/B.
- The RSA keys will change every few months so for C2 communications on each Epoch/Botnet.
- Binaries for Epoch 1 payload sites are different than the binaries for Epoch 2 payload sites.
*- Binaries used to change hashes every 15 minutes to 2 hours but now (3/6/19) are changing every 5 minutes on distro.
- Each binary has a hard coded list of C2 sites unique to the Epoch it was derived from.
- C2s are never shared between Epochs/Botnets.
- Both Epoch 1 and 2 seem to go into "break" periods at the same time for several weeks. During this time binaries are updated every 2-4 hours
via C2 to stay ahead of AV defs.
- Spamming activity seems to cease on each botnet at around 00:00UTC each day. It usually starts back up around 07:00-08:00UTC each day.
- Spamming usually does not occur on weekends and the Emotet team seems to take weekends off.
- The easiest way to tell what botnet a sample is from, is to find the payload and then check the C2s/RSA Key. HINT - CAPE Sandbox makes this
easy now, use it! Thanks to Kevin @CapeSandbox and @pollo290987!
- Changes in behavior are often deployed to one botnet and then to the other as if the first was a test. This has been observed for obfuscation,
spam template, word template, document type and even payload.
If I think of anything else to add or if anyone else has any suggestions, I will add them here.
Community Lists
Credits
(OC from @JRoosen and/or combination work of the following)
Doc DL URLs - @James_inthe_box, @unixronin, @abuse_ch, @JayTHL @dms1899, @avman1995, @pancak3lullz, @pollo290987, @malware_traffic,
@0xtadavie, @Bitterman59, @devnullnoop, @Bauldini, @baberpervez2, @executemalware, @jcarndt, @gorimpthon, @Racco42, @papa_anniekey,
@Jan0fficial, @shotgunner101, @HerbieZimmerman, @Outkast_TI, @ps66uk
C2 info/RSA Keys - @unixronin, @CapeSandbox, @sysopfb, @pollo290987, @MalwareTechBlog, @ps66uk, @JayTHL, @malware_traffic, @0xtadavie,
@devnullnoop, @gorimpthon, @Racco42, @Jan0fficial, @lazyactivist192
Payloads - @bigmacjpg, @decalage2, @James_inthe_box, @MalwareTechBlog, @ps66uk, @dms1899, @avman1995, @unixronin, @pancak3lullz,
@pollo290987, @malware_traffic, @JayTHL, @Bitterman59, @devnullnoop, @executemalware, @Bauldini, @jcarndt, @gorimpthon, @Racco42,
@papa_anniekey, @Jan0fficial, @OguzhanTopgul, @HerbieZimmerman, @lazyactivist192, @TrendMicro
Spam Templates - @0xtadavie, @SaurabhSha15, @devnullnoop, @raashidbhatt
Special thanks to @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and
helping out with this!
Very special thanks to @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project https://github.com/decalage2/ViperMonkey ,
@digitalocean, @mploessel, @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch,
@urlscanio, @TrendMicro and @Virustotal for providing services/software no charge to this cause!
Daily Log 05-20-19
Absolutely no sign of emotet to me today in UK. Plenty of other crap though.
Polish language templates are in circulation, following on from the wave reported last week.
A big thank you to all those that report #emotet, via Twitter, URLhaus, URLscan and all the sandboxes
I missed a couple of E2 EXE sets on 17/05 - I will update and repost the additional IOCs
General News:
German warnings on emotet
https://www.pcwelt.de/news/Polizei-warnt-Trojaner-versteckt-sich-in-Antwort-Mail-10595144.html
REVIEW:
If you didn't already see it, there is a very simple way to defang these ZIP/JS attachments or links. Just change the Explorer association
to open .JS files via Notepad.exe. You can follow my instruction here in this Any.Run:
https://app.any.run/tasks/81503633-0f95-48d4-bd80-c83ec5c2b763
or you can do this via GPO. Here is a nice writeup on this process: https://montour.co/2016/09/group-policy-force-js-files/
I recommend you do this because .JS malware is very 2016 or even earlier and most users never need to run .JS or .JSE for that matter.
You can likely throw other extensions into the same configuration and @JayTHL had a nice thread discussing this here:
https://twitter.com/JayTHL/status/1126204098670411779
Email Template Report:
Generic templates on the most part, the usual body text listed below.
Review:
What we know about the threaded templates/reply chain:(changes are marked with *)
- Emails are sourced from once (or still) compromised users all over the world.
*- Emotet injects a reply into a real email conversation thread between the compromised party and another party that replied
to the compromised party on or before Nov 2018 until at least March 2019. (may be up to present) Also have seen emails going
back as far as June 2018.
- Now on E1 and E2.
- Now seeing German based templates that are essentially the same thing but in German.
- The injected reply is usually prefaced with the following:
"Attached is your confidential docs."
"Attached please find the wire transfer form."
"Thank you for your help. Please see the attached."
"Load instructions attached"
"A printer friendly attachment is now included with each email."
"Click on the attachment to open or save the printer friendly version of your report."
- Both attached and link based delivery of the maldocs/ZIP/JS have been observed.
- Attachments seem to be in the filename format of *_Month_DD_YYYY.doc/js so far.
- The link is customized for the display text of the link to show the real domain of the spoofed organization.
- These templates are pretty limited in run and not very numerous.
Link Regex Report:
Regex directory patterns
E1
*https?:\/\/.+?\/(biz|com|net|sec|sec_zone|secure_zone|seg|US|ver)\/([DdeEgGnNsSuU_]{2,6})\/(accounts|anyone|logged|myacc|sign)
https?:\/\/.+?\/([DdeEnNsSuU_]{2,5})\/(ACH|Attachments|Clients|Clients_information|Clients_Messages|Clients_transactions|Details|Documents|Information|Messages|Payments|Transactions|Transactions-details|Transaction_details)\/([0-9\-_]){5,7}\/
https?:\/\/.+?\/([A-Za-z0-9]{4,5})-([A-Za-z0-9]{14,16})_([A-Za-z0-9]{8,9})-([A-Za-z0-9]{2,3})\/
https?:\/\/.+?\/(trust(ed)?|sec|verif|public|secure|open|verif_seg)\.([DdEeGgNn]{2,3})?\.?(logged|signed|accounts|myacc|sign|anyone|myaccount|accs)\.(resourses|docs?|open_res|send|office|rep|public|sent)\.?(net|com|sec|biz)?\/
E2
https?:\/\/.+?\/([A-Za-z0-9]{4,30})_([a-z0-9]{5,10})-([0-9]{8,15})\/
*https?:\/\/.+?\/(administrator|assets|blogs|cache|cgi-bin|css|DANE|Dane|demo|direc|Document|DOC|Dok|DOK|esp|FILE|homepage|images|INC|Inf|INF|js|LLC|lm|paclm|Pages|parts_service|phpmyadmin|Plik|PLIK|public|Scan|sites|test|themes|uploads|wordpress|WP2|wp-admin|wp-content|wp-includes)\/([A-Za-z0-9]{7,32})\/(\"|\n)
https?:\/\/.+?\/([a-z0-9]{4,7})-([a-z0-9]{5,7})-([a-z0-9]{4,7})\/
NOTE: If you get a lot of false positives, try adding (\"|\n) at the end of some of these after the last \/
These Regex patterns are to be used experimentally and at your own risk but they caught 95%+ of link malspam.
Payloads Report:
E1 would seem to be attachment-based only, no sign of active URLs.
DOC hashes above were drawn from anyrun.
E2 ran to just over 200 URL at time of writing,
Both Trickbot and Dreambot were seen as secondary infections today
E1 EXE - only 3 hashes observed, all ~74k
E2 EXE - only 4 hashes observed, all ~74k
C2 Report:
C2s DID change for E1 and increased from 80 to 83 combos in total. - recorded above
C2s DID change for E2 and decreased from 92 to 84 combos in total. - recorded above
Closing:
I am out of office for next couple of days but will get the key indicator lists together
@ps66uk
TT
Sandbox 05/20/19
(all with fakenet and MITM unless spam/secondary infection)
Epoch 1 C2 run on 2019-05-20 (private report)
Epoch 2 C2 run on 2019-05-20 at 22:30 UTC - https://app.any.run/tasks/67276dba-a4eb-404b-88a2-fb0add7d857f