Emotet Malware Document links/IOCs for 05/21/19 as of 05/22/19 01:00 BST
Notes and Credits now at the bottom Follow us on twitter @cryptolaemus1 for more updates.
Epoch 1 Document/Downloader links seen for 05/21/19
<none>
Epoch 2 Document/Downloader links seen for 05/21/19
http://3glav.ru/css/lm/LElPNvTAyeCNgL/
http://912graphics.com/cgi-bin/btqbghdo7eu6ykg0zzxjohdj7_j9gac5n-2948099525/
http://9coderz.com/wp-admin/lm/lm/VtuGyUdGncbiGlUmipu/
http://adil-darugar.fr/wp-admin/Scan/trrMBcbN/
http://advokat-kov.ru/new/Document/dcm61tc0sudmm5n860qu1ra_ubwtq8m-5670754007/
http://aio.sakura.ne.jp/forum3d/c9q8c85-7x79nvt-zefc/
http://airconfidencebd.org/wp-content/hfrhybo35jocmt9rykxk92d9_ws2nvv-804221103844/
http://akihi.net/BBS/omra-4vws5-ilkw/
http://akoagro.com/wp-includes/FILE/fsrauTLdLBq/
http://aktpl.com/wp-includes/f8kqjc4-rsaxk-cgivh/
http://alageum.chook.kz/wp-content/uploads/Scan/04263hkou_u9q456yn8-3307251785606/
http://alphalif.se/css/esp/vcpf5ck3gkufnd1tcz06m1dpe0wu_2kkhrv2r7-223819466498611/
http://ambil-hadiahpb.cf/css/Document/zvv6pzemxix7bkqkxcdven37o7v7p8_w4gnn62w-746465135047600/
http://anase.org/wp-content/Pages/iq89n0t5_yfxzp-070843819/
http://an-premium.ru/wp-admin/7b6ech5-svgat05-fnyjvh/
http://anpuchem.cn/wp-admin/2spx3-fd0s9jc-wxcnzqe/
http://appsville.global/wp-includes/6m7d5hr-jolf92s-dxvkhvz/
http://aradministracionintegral.com/wp-content/uploads/q4qzpxt57s_s90s0-562133435485/
http://asatc.ovh/wp-admin/rctqjq-n5326-wzslqtb/
http://atkt.markv.in/_notes/FILE/OCTbubxwjOUENnC/
http://ayashige.sakura.ne.jp/FAQ/wp3mn-06n4afc-usedfbr/
http://azbeton.ro/wp-content/Document/vtjHcnFgqglXQqzqEkohRLJd/
http://b118group.com/wp/b0gk3v7xqs_8737y8-565189409480/
http://batdongsanminhmanh.com/wp-content/uploads/Plik/VSHZLPQDixgGn/
http://bcaa.gq/wp-includes/Pages/WoJUHWDOFhNKDkbe/
http://bestit.biz/suspended.page/esp/ZrnXUqWtuAfQZQRQSBUrFxEDGWGwvk/
http://biyoistatistikdoktoru.com/wp-content/0094ofi-io04bs-wgexsrj/
http://blog.dmtours.lk/wp-content/FILE/ruaXvPMVnjujCTjeLLT/
http://blog.laviajeria.com/wp-content/uploads/gsaujyf-ry06n-dssec/
http://blog.tactfudosan.com/wordpress/Document/KAsyYWOZLfoEhvrJgr/
http://blogs.ct.utfpr.edu.br/mansano/9nlp-wepue-agwyqrc/
http://bmeinc.com/wp-content/t0wunqu-izvvlvm-cqxnq/
http://boilerservice-cambridge.co.uk/muun/esp/IhCsETyWZrho/
http://bonizz.com/DMC/parts_service/5eh2hsadldjems1kq3wlh403v_e39t3mz1ud-335687791589/
http://buxton-inf.derbyshire.sch.uk/wp-content/d3q7i2h-uf2cg-etdwftf/
http://caddish-seventies.000webhostapp.com/wp-admin/4ur9tmys2h_75g6pp-73387052/
http://carlyarts.tk/cgi-bin/0hz63w-s3alcb-vjrm/
http://chinmayacorp.com/COPYRIGHT/Plik/tjDkGOTPHOJ/
http://chirurgien-ophtalmo-retine.fr/wp-admin/Scan/trrMBcbN/
http://cielecka.pl/ilum.pl/Document/f7djienirh5otecveisehl6oi_tn22d-108070575/
http://cmg.asia/wp-content/uploads/DOK/bkmrGzXzIEZODqVCVwBTcQiNn/
http://congchunggiakhanh.vn/wp-content/lm/lmjQDFYXEANYNpuvmqbCJs/
http://conjurosdelcorazon.info/wordpress/Inf/1hpu9k3q05djyl3gq5722_d7u08f-5929583887/
http://consortiumgardois.eu/images/FILE/kzfYkwNCziLHPSLvhPexT/
http://coronadobaptistchurch.org/wp-includes/paclm/nrzbbwc9xordu0f1pojvw03um0v42_ucm04gi-866893424118465/
http://corporateipr.com/m9c/phutz63-w90emms-oukwmr/
http://crsigns.co.uk/wp-includes/rncjoymd9s61_ahrbb-46845098052870/
http://dag.gog.pk/wp-includes/PLIK/wndpifvajs/
http://daizys.nl/BKP-06-05-019/sites/HxflDlFmdMdWWyqIrRZHCGWSE/
http://data.iain-manado.ac.id/wp-content/jvqzpj-qqv5yn-iujro/
http://dembo.bangkok.th.com/wp-content/uploads/ZJzsVKdzRzmVYxKMwQhxC/
http://dembo.bangkok.th.com/wp-content/uploads/ZJzsVKdzRzmVYxKMwQhxC//
http://demositem.cf/wp-admin/lm/gfjj522nshq21esba0bgt5_ig360-20814056176637/
http://diarioprimeraplana.com.mx/wp-admin/04t8ju-5o1m33-exgwn/
http://disperumkim.baliprov.go.id/wp-content/JAaJgGgshskUmKanMFIDcM/
http://dnmartin.net/wp-includes/v62mbu6-bulqh0-mqvdot/
http://dog-mdfc.sakura.ne.jp/img/5oxre-zuektz-igln/
http://dronint.com/wp-admin/tt4up7x-989rvv-uykocm/
http://ds-cocoa.com/form/mfcz-els553-gutvyak/
http://duwon.net/wpp-app/co8s3b-3tkel3v-sgew/
http://ecommercefajeza.web.id/wp/tbkh1v-qjzzn3-wvojp/
http://economika.com.ve/email/paclm/dsbzhob4b8seeq_zl3zlxclc7-7223513679032/
http://e-controlempresarial.com/wp/paclm/02oyix5wanbeegnxcnudm_m9wha6e-6640018143938/
http://eeda.tn/wp-content/languages/qrx8t-enc1iw2-tlpfv/
http://egplms.okmot.kg/wp-includes/mf75rsm-y1pndse-apjgbfv/
http://emcimed.ml/wp-admin/INC/beCmcstHEcYWSdunsNpV/
http://esquso.com/wp-includes/parts_service/zncgw5r30ehtff4w4_nvu506u-84590229280717/
http://eticasolucoes.com.br/controle/FILE/urjm9ad0e20oke9_yys4j-1833857769/
http://eurofutura.com/carloghio/parts_service/JYRByxVSfhNOpVVTASyyBhBR/
http://exenture.net/mySHiT/mhv8eiw14_tj1q863agg-191035311473/
http://exposicaoceramicaearte.com.br/cgi-bin/Scan/cuhgcn4fje3ftup_x82vkmk-064904430823956/
http://faggioni.site/c/LLC/vyjd8e7lofux_y85bv-123015212024842/
http://fearis.sakura.ne.jp/data/yrvn-jsbee-qckg/
http://fills.info/d907-e9y5h-tahwufs/
http://filosofiya.moscow/2vx0z2/m0jt45-5vk7cj-kzcs/
http://fireprotectionservicespennsylvania.review/wp-content/k3nlc-jupmj-vxzwydm/
http://fitnepali.com/wp-content/plugins/vtt3uru-k3dfd-rfeqkz/
http://focuseducationcentre.cf/zayarlin/Document/bEjkgNhfyDTjBiljqJwhvIaDu/
http://gamingproapps.com/wp-admin/05wvu0-b8bm2-mujg/
http://garage-ucg.com/_mm/cshqzve-2wrp3b6-acmsyoc/
http://gatewaymontessori.edu.gh/5r0x/INC/sor5jniomi1bw8se6reyjodziydt_dk6pdtw-885852414780/
http://giangdinh.vn/wp-admin/LLC/AmMcutbAcsZgoLPpvSBSFJFL/
http://giaoducvacongnghe.com/wp-admin/parts_service/s5nvqu5cu5xiavsm_tt4g6sg-9685915454/
http://gilmatas.000webhostapp.com/wp-admin/yznvck5zdjh_m6ewq2-12021270394/
http://gite-la-gerbiere.fr/lib/bf1vgc-kym3vl-moyonq/
http://glumory.co.id/wp-admin/qlomqukhp4rm409zcqi35hdp_3ezcpjzr5-7274514462/
http://graminea.or.id/cgi-bin/esp/dRfhYjIAqKiRZKZtpFcXvsFYUD/
http://greencampus.uho.ac.id/wp-content/uploads/vyeow9-3fruh-vbno/
http://grinq.com.ua/wp-content/qon3os-lg1iwjy-xwfjr/
http://grupoxn.com/wp-content/h2uy3p-uanu36y-qpfbabc/
http://guidafinanziamentieuropei.it/dup-installer/esp/whISpSbNpvwrdNdxBlTfEMDIUKOs/
http://halcelemates.com.ng/cgi-bin/qspgn-miqx4yz-hudi/
http://haovok.com/wp-content/uploads/2019/i6pygi1-skve9j1-upduf/
http://haovok.com/wp-content/uploads/2019/vy24ysx-hdhlv8k-nyuqxqd/
http://havistore.net/wp-includes/wt6adv7-xupjzl1-sidkes/
http://hestoghundehuset.dk/wp-admin/mPKrLBEEMiHVhKYpHeEc/
http://iamzb.com/aspnet_client/system_web/c0rft63-7sh4lwp-rskuhl/
http://ibuying.pk/mvmbb6/ei43a-fw9o8-druj/
http://ideenn.ml/wp-includes/esp/5et9jh3fkakhc0tqf6mf_36yoe7na2-28649149907/
http://ipdesign.pt/wp-content/8j81y6r-r7axbj-coot/
http://itcshop.com.ng/fasttrackcash/Inf/qrjYUODRuCg/
http://jajiedgenet.name.ng/wp/DOK/x963ssn0_skxizz6j-099060478701887/
http://javed.co.uk/wp-admin/f3pafo-bac855-vrgxw/
http://kamasexstory.com/wp-content/y2o6h-vnm6vw-ehxybl/
http://kauzar.com.br/wp-admin/9naj-wg0geu-jvhkq/
http://kgdotcom.my/wp-content/e6k9v2v6m0_tfl09azf-288153120/
http://kipsoft.vn/wp-admin/uXHCWQYIsUwy/
http://kirakima.sakura.ne.jp/_yoru.oldcake/app/webroot/i23z-b91g84-kvrrlys/
http://kleine-gruesse.de/wp-includes/Document/laWittBVpszALuZbTWOvWHRk/
http://krasotatver.ru/wp-admin/n53x-uxotfh-dxkbol/
http://ksicardo.com/travel/86xczz-ky8hi-fbwoyt/
http://kujuaid.net/2006/9cs63i4-rbynm-zrnxuqw/
http://kumakun.com/aikawa/2q13-86mdf3-hjxhhr/
http://kuramodev.com/wp-admin/esp/2lcrz1uaq99jqg6x_btdci7az-5511668994948/
http://lab-quality.com/wp-includes/549lfpr-f98te73-fkqna/
http://lejintian.cn/wp-admin/bmyd-j0qwdr-gwyynxv/
http://lencoltermicosonobom.com.br/wp-content/ina4-ows9b-vnirk/
http://les.nyc/wp-content/uploads/zuxbjd6mgcbofmz_1lwfz-96882379608/
http://lesantivirus.net/css/esp/LvxnSHShDjxTiArIvTtXhDOGX/
http://liantrip.com/x6sm/INC/k9iovbtzedsa1ptk3j_9gqdpmgi-906696776/
http://lizerubens.be/wp-admin/parts_service/IWuXVRHMja/
http://lnemacs.com/updatecoreo/paclm/QOqcLyIDnqskRUPrQtAY/
http://logicsoccer.vip/wp-includes/PLIK/DyyyskgffSivMY/
http://longokura.com/wp-includes/Pages/RphdkFQwbj/
http://lr12sp10.org/wp-admin/8nu0md8-38qsi0-iqme/
http://luisromero.es/cafe/LLC/d02zuso2z3r0o07_uge4o-3011321187376/
http://luxconstruction.mackmckie.me/cgi-bin/LLC/jbiat3az5san8nte6g_mhl1i2rv-47824935/
http://luz.ch/fuurball/paclm/tayiwtdw9gvgb21rvi815umr4_l1k2tafz-916097634479/
http://maloninc.com/archive/lienu7-gmeqaps-nrnqb/
http://manorviews.co.nz/images/paclm/mcpf0o3f5me1zh2x2xarr5c_c2kog9qp6-11133861/
http://marbellastreaming.com/admin/3b1zwi824hbk1pe2coubcbob_5nlp4bh-14804269498/
http://markantic.com/wp-includes/LLC/oXitshkRMjCSa/
http://markelliotson.com/sites/k47y5hwtw8h_aqzp3l-449059094/
http://masana.cat/pix/parts_service/wBwhQtYEVIEpsMPtRsyl/
http://masterchoicepizza.com/wp-content/uploads/i650-0aa2od7-pdxlvg/
http://masters-catering.kz/star/Scan/4srrh6lm3eqgk7goazhnkodrbaio_eaxlbr-436287246/
http://mattshortland.com/ozXYuMOiYlguFF/
http://mayupan.com/css/Pages/jamcysmfx_d379k-789309688595/
http://mazzglobal.com/51655165g/sites/zuutn9zkjzzsbhffa5d0fpvaw9z_jzv2j6b-263923452810966/
http://megfigyel.hu/hirlevel/kj8ce-szyqbse-iinoje/
http://melondisc.co.th/47bd/atyb-h8smk3-qvbbwsh/
http://mic3412.ir/wp-includes/LLC/hsnp7lhg0fbqhj1dph7c4fmspwvz_r66ocyu3-858421356/
http://mickreevesmodels.co.uk/micks_chat/INC/KfNJTKdmSYiueWhbqeYVzigbOaUj/
http://misbragasusadas.com/wp-admin/paclm/okb30cee6xhg1cbi279ssznmewh88k_mimhl-536403870815322/
http://mjc-arts-blagnac.com/wp-content/Document/qein18j18_d9y843jj7-3116175961/
http://mjeas.seas.num.edu.mn/4jew/Pages/DddiRVHssfjb/
http://mjeas.seas.num.edu.mn/4jew/Pages/DddiRVHssfjb//
http://mmgbarbers.sk/wp-content/hmESzqKrW/
http://monsterz.net/blog2/FILE/fCuLIWGTqBVwcPDfUQRVodcKJxEmI/
http://m-ros.es/wp-admin/nfbyibe-l6cpr-wvgd/
http://mtaconsulting.com/wp-content/Pages/ntq8h5pnhzsb_c98jimy0lh-77243452881/
http://multicapmais.com/js/esp/jLOgrxpWZ/
http://mwvisual.com/scfv/bYofxzLIBlDANzJQJhwNsOgzvfU/
http://myofficeplus.com/Document/zJLRnsotorjEVuGxH/
http://ndm-services.co.uk/DOC/gsnhdhup7vp8u3onxtqzbn_mso4v7e-4060977015/
http://nforsdt.org.np/cgi-bin/LLC/rJhJsoFerEAbFVKOgJweNESInf/
http://ninhodosanimais.com.br/wp-admin/2r5n-hqg5fh-riwe/
http://noons.ru/wp-admin/DOK/mpmd1xmzhl8ijhcvdh2d40r249a_07m8onqzs-192022041933115/
http://novaoptica.pt/wp-admin/rnsoyvw-8y64rg-ppgc/
http://nucleomargarethferes.com.br/wp-includes/3lte794qnmo8qdk8p_cbdl68-46700341/
http://osarofc.com/wp-content/0svg-ykzyl-eczxl/
http://ovakast.com/wp-admin/zbb9q-if7z3-xncfy/
http://paywhatyouwant.io/cgi-bin/INC/RycXLpkwbaXNzSdOQYrWlxXoi/
http://placo.de/typo3_src-7.6.11/3jo2nmg-58mws-pospv/
http://planetkram.com/cgi-bin/FILE/lydb59kvj94x2qxaf0lo_95s38g-70862676621395/
http://pmalyshev.ru/wp-admin/FILE/x54foocsocq3hddk_c3e68-88316015852100/
http://priatman.co.id/old/gmvor-qkevv-kmjsj/
http://priatman.co.id/old/gmvor-qkevv-kmjsj//
http://print-consult.be/ResponsiveImageGallery/61p114nlua4w2_8mcik3tixr-083144052/
http://prom-alp.kz/wp-admin/1skay-qbj32qb-aoivyzz/
http://qwelaproducts.co.za/wp/voo74gu-yc23wv6-eysshi/
http://rabotkerk.be/cgi-bin/jt2ly-82r1t-uawc/
http://ramun.ch/infa/FILE/lJvrIxQuUlhOCEvbCUdnSfzGi/
http://rociton.com.bd/wp-content/parts_service/f40sb8gz9nnsppjgt7tclxs_gq8nvjogop-96874256/
http://rzd-med.kz/wp-admin/parts_service/sw52j2qr0y_aaqn7hq5b-378256719777818/
http://sanalkeyfi.com/wp-includes/Dok/qauowl45eharem4bo5i0_9vtspc-07835495394/
http://sa-pient.com/wp-admin/uhiz5-waz5h1-oeokf/
http://sawitandtravel.com/cgi-bin/4xaib1-5gzkqtk-ncyncpf/
http://seabird.com.ph/html5lightbox/e49fc-v1zh9o-zrdsp/
http://sexlustoys.com/app/heotbm4-5ea4e-qbhgzg/
http://shadzisti.ir/wp-includes/bka7-9lmu27-vhofm/
http://skilancein.000webhostapp.com/assets/INF/BztYZLgGvYARNnbzPsTRtTUGJy/
http://slppoffice.lk/wp-admin/cjr9zzp-rf7yx2-rbvxv/
http://smake.in/wp-admin/4ssh779-i04deq-vsarad/
http://smartschools.co.zw/wp-content/f8sy-k74kuj-xsaidw/
http://snowballnaturals.com/cgi-bin/gsai-g663ics-kgisfcn/
http://songdung.vn/4d4ixle/zxkthq-p764b-mmzxllf/
http://sreelabels.com/wp/x1zu-9l83g-fhhdw/
http://srgranel.pt/blogs/LLC/yi2j7x85stn1at_4dvhbnr-47282747/
http://sseg.ch/wp-content/ytn7-eh9d9a0-jphxofx/
http://steventoddart.com/cgi-bin/78djj4-9rsc3m6-rwtqz/
http://subkhonov.com/LLC/Document/qWrWCtrmDmBwslubhyvcaBfWhiQX/
http://sulkanvariasimotor.com/cgi-bin/Dane/QdSsDaRPbt/
http://supercopa.cl/assets/esp/zugnnetz0suvx017j01zwr3_x33y9-0543142109882/
http://swansgateshoppingcentre.com/wp-includes/Scan/ok6ulsnds83m0s_6gz9lcuo8c-605978940826/
http://tbwysx.cn/build/9631pb-3ndkdr6-ieae/
http://teiamais.pt/wp-admin/ir05prk-vawjdhm-mwwvx/
http://teknisi-it.id/COPYRIGHT/FILE/VppKShnPdkhRjUEXEeooCIIAhwbUDA/
http://thegeekmind.pt/wp-admin/hyxd-4bsn17c-hfsreja/
http://theoptimacreative.com/backer/DOC/lzdtnRntp/
http://thethaoams.com/wp-admin/k8xc-vr0ue-ryktr/
http://toorya.in/wp-content/csbluri-69vjyo-gvib/
http://torneosnh.com/lucho/qgyr-kn326x-dxbtpa/
http://trademarkloft.com/wp/LLC/MRWfXNPWcWfmIEtA/
http://travel2njoy.com/wp-admin/30f8i-871i1f1-hcbtiyx/
http://trendybirdie.it/wp-admin/l26xb-qw1gs-nbrr/
http://usemycredit.ml/wp-includes/lm/qr0k1llf_9epghq0f-911869644204054/
http://veresk-studio.ru/wp-admin/e032ur-7ivwl-evprfzy/
http://vidalgesso.com.br/wp-content/parts_service/0dxp3gqybi_khdxx-76852614/
http://vinyasayogaschool.co.in/wp-admin/Pages/srSdAHPKkqZbXQVsEkPcjTBAUxFM/
http://voctech-resources.com/cgi-bin/Scan/yygznlklj5_donv8-334023278047356/
http://warwickvalleyliving.com/images/classes/89ofu-pyt3kp6-ucnuue/
http://www.912graphics.com/cgi-bin/btqbghdo7eu6ykg0zzxjohdj7_j9gac5n-2948099525/
http://www.adil-darugar.fr/wp-admin/Scan/trrMBcbN/
http://www.cmg.asia/wp-content/uploads/DOK/bkmrGzXzIEZODqVCVwBTcQiNn/
http://www.maria-hilber.at/wordpress/y0og46-pud86sj-qmdnev/
http://www.nucleomargarethferes.com.br/wp-includes/3lte794qnmo8qdk8p_cbdl68-46700341/
http://www.rabotkerk.be/cgi-bin/jt2ly-82r1t-uawc/
http://www.vidalgesso.com.br/wp-content/parts_service/0dxp3gqybi_khdxx-76852614/
http://xpelair.com.ng/wp-admin/uwenu-wdun3-aurp/
http://yaxiang1976.com.tw/wp-admin/01hx-6w7iiy-boqkmey/
http://yk-style.net/weibo/erjm9-7dlg8an-zsldtn/
http://zhas-daryn.kz/toreshim.kz/LLC/ndpZCyBJjxPtWoCjvwxzqByfXVQsuT/
http://zmeyerz.com/homepage_files/paclm/ATMrNHzXJjfIFDTQmcCNmiPHPRUXO/
https://akihi.net/BBS/omra-4vws5-ilkw/
https://blog.laviajeria.com/wp-content/uploads/gsaujyf-ry06n-dssec/
https://bmeinc.com/wp-content/t0wunqu-izvvlvm-cqxnq/
https://buxton-inf.derbyshire.sch.uk/wp-content/d3q7i2h-uf2cg-etdwftf/
https://centredentairedouville.com/wp-includes/Document/zw020kmf76b9mjrb_75xfiu-31033395686/
https://conjurosdelcorazon.info/wordpress/Inf/1hpu9k3q05djyl3gq5722_d7u08f-5929583887/
https://dnmartin.net/wp-includes/v62mbu6-bulqh0-mqvdot/
https://eeda.tn/wp-content/languages/qrx8t-enc1iw2-tlpfv/
https://euma.vn/yfbh/pvhwwa-xg74b4-bknrdh/
https://exposicaoceramicaearte.com.br/cgi-bin/Scan/cuhgcn4fje3ftup_x82vkmk-064904430823956/
https://fitnepali.com/wp-content/plugins/vtt3uru-k3dfd-rfeqkz/
https://hlclighting.ca/wp/Scan/oylkuxb7d3zafh4_yyzho55c-730553405724/
https://kamasexstory.com/wp-content/y2o6h-vnm6vw-ehxybl/
https://katesemernya.ru/wp-content/parts_service/fl3u8puxwduomh55mrw44jisppz10r_nfmkflw-998458487096619/
https://ksicardo.com/travel/86xczz-ky8hi-fbwoyt/
https://liantrip.com/x6sm/INC/k9iovbtzedsa1ptk3j_9gqdpmgi-906696776/
https://longokura.com/wp-includes/Pages/RphdkFQwbj/
https://lr12sp10.org/wp-admin/8nu0md8-38qsi0-iqme/
https://megfigyel.hu/hirlevel/kj8ce-szyqbse-iinoje/
https://mjc-arts-blagnac.com/wp-content/Document/qein18j18_d9y843jj7-3116175961/
https://placo.de/typo3_src-7.6.11/3jo2nmg-58mws-pospv/
https://proxindo.id/wp-admin/FILE/vgsupeyhnlc8ka4tbdu72wde7khpa_1ganzrzry-05828045/
https://ramun.ch/infa/FILE/lJvrIxQuUlhOCEvbCUdnSfzGi/
https://rzd-med.kz/wp-admin/parts_service/sw52j2qr0y_aaqn7hq5b-378256719777818/
https://srgranel.pt/blogs/LLC/yi2j7x85stn1at_4dvhbnr-47282747/
https://thethaoams.com/wp-admin/k8xc-vr0ue-ryktr/
https://topaqiqah.com/wp-admin/iwrivz-kuvph-szzyiic/
https://www.kleine-gruesse.de/wp-includes/Document/laWittBVpszALuZbTWOvWHRk/
https://www.sseg.ch/wp-content/ytn7-eh9d9a0-jphxofx/
Epoch 1 Payloads by Document SHA256 - All Times UTC
Creation Time 2019:05:21 15:47:00 (Attachment Only - DOC Based - ENG - 365 Blue Box)
SHA256:
3186aa73cfd05f2eb1377f4f2d4f1c1e92fcd17c16931a836685006c9e541d22
b5b3b11a8102211cdc96d8c632632302c7581a2782188bba735064fc79a9dd92
c3d9a7610c958cfb1e53f7f0347f039b7f886091b34e7b40c01b37b162966604
f4222ea98ed930fc2bb5e61b8a6552c7e2d14068e1a8e4e5ca880d8ca7fb84de
a2b9b0f88df424553ed318b9d60253acf17a87110ec122fd85b9d1eb48905c93
1f0ca6fb3208beccb72075ff4cb11d637bb78a28b008231f20cd559d23f54599
60687bd472c8e22c380001350f2211e246237ae722fc0bd6b0ad58d07630dc1c
54b34632fc88ff88fb0de3ea6861249c72c0606e379617189646ac1601f91a46
cf5e0fbd285d9f04b16748729d7e284aa32224195016ef192626e6b6d8778825
deaa8bd161e8f3e7c7b6fc6f698a83f2f8772529eb0d0b596c7be47b29b3d76e
7bb902370e4d515163f834fc59508529311503a60257ff22bfa17dc48c75950c
http://lucy-jade.com/wp-includes/tbzu5/
http://feti-navi.net/wp-admin/gfod2z3668/
http://vinkagu.com/wp-admin/1mc0544/
http://hashkorea.com/wp-includes/sp0d763/
http://phigvelers.com/Library/7tak1867/
Creation Time 2019:05:21 11:11:00 (Attachment Only - DOC Based - ENG - 365 Blue Box)
SHA256:
f9ab3d277291f373e3d2986e76401a707948eaef5d22cb884c278f962fd4d035
1b48a315a4e8c5a5b7095883e663dd0b43f40f9bb60d17bda594c37648371469
b7c079f1f0580be195115872575caa40cd63137a5aaffdbd447708e1723dc4e3
fa38aaec56c44bf5e2e151cfeaed8b47b19491e1fdec93c77baf5803c5f4d0d8
4cc271756b3556d783f24f14250e61f7ac3113dd3cccdf3ed91544b4e1254d21
04f15c494871ac098989011d3ea2d97fb75117407937a5bec50dfd87cdfdcdc4
b408e06a045d97382580d5f1a7b1d5183368de3cb0cf3324647f1d802ba95bef
d4813f30ddf8126ecbfff6875784ac8d0ed7396ed7f6fea7b48fc9d53a86c0ce
1a09ca29dffdc772442b2d5c3b5a5ba6aac16bb132b2f793e959f25bfd71d223
7bb6d38374d20b09092ee76894f5f10bfd4c18dfb75b1277e6a41f5b9bda0c31
baf34bf1cc0f032834397222dd59c2557bf5f07cd0224e7f09e6195a35ca90bd
e2b1de5edef455be4fc02f63386113d5f9388964c88a8b203f8c64b95dccfcf2
2d637c739528b1bb6ef74565459d1bba3879d812cdef35bef1db18502fc719b1
ff032e980b8d7ace5618a79ffe8dc09a99d8b133de6d9adfee43690367475f37
b7c079f1f0580be195115872575caa40cd63137a5aaffdbd447708e1723dc4e3
4ff3858e96b9e76a27c8441347cfebb98dd1ccc58748f794b8c797aa19df75d3
b408e06a045d97382580d5f1a7b1d5183368de3cb0cf3324647f1d802ba95bef
7fbec185d4b8ea5ae64de6f2e47a48091582437d26f55c547eb62da373341431
98594d722c9887eccf2912c97c05c72c95d2cd03f795ae4752f307d28b8dfecb
http://indahtour.com/test/xyswwg35509/
http://bike-nomad.com/thumbnails/525v731481/
http://esnconsultants.com/medals/oftqcsg954/
http://heuveling.net/l3d74/
http://leeger.net/joomla/c60/
Creation Time 2019:05:21 06:34:00 (Attachment Only - DOC Based - ENG - 365 Blue Box)
SHA256:
834731391b0defa34d6dd096260d88d3af4e1fe78eb152da8c75d95b80d3345e
0b5cec0a3865e2e0ba377217d7ff4496f9ed54659317318ffc5b8c58b3476afb
ec362e5792698b74941f6f06159f2d713c1380f926756c267f6cf226306f3027
b8492e02cf746690321944c8d37a32f8a4fbe6edf749f89b576eb6aff540c631
297d50491edaf2865e9a7373885527e50fc33c7deda6e964e3dc67bdc7ad4d9b
e14b09b539e527769866b24ff31f22a977173876fe8eb0cd0c707ad61a2f57b6
a02a597810a1af3c6c0ae138bc202ed4cb52b282c335ef4ff002386939442909
2bdb377ede44fad994ccf12a517461d5547ca0d3a5fd327599ac26100348ae07
e5c395bb17baa9f804633f78c45f2af5b333e6b66a92a247018ee70d0d6d34e0
27911ae09f81e29840684c546276dd3e1401627c12f8097adc8a135dd4c1a3b4
55570679e088d70af551ec6fa946e413c40a333acdba4b089f4768780df18cc0
d3f31e2cfc818d9a8deeada5caeb6354c3673021e0f396625cf42acf1452a08e
000f398424798d053f45b56c1326f3aae46357986172cb4434968564f7082340
4da31a497839d41fb1bad2694cebbcd58b05f3b900eb951539f7b68bf6064b1d
f2882f50d8d76f576ae6ef158d018ea5cbd402742b2e72f61d448acc4433ba49
b8492e02cf746690321944c8d37a32f8a4fbe6edf749f89b576eb6aff540c631
bd27a9089dcf0492fe56ad777c70400668738cbc0661d6df0e448d5db3e6880d
942ac5d45abfb5aa4fabdaeb89ad88b3ac4a22a7619149b0d5745284f2d5f210
0939b437c0e22c3f99833a517bdaa2038f044a85f59e36bf4a358e72ac84ba30
51c7b0fb847932c47785886b721ce98dd2d6534b6904a65b1b73e4113a9647a2
http://nemexis.com/v2/iogkxow886/
http://giumaithanhxuan.com/bipq/1265/
http://lifetransformersgroup.com/cgi-bin/0px3t7/
http://mejalook.com/blog/46nq99/
http://mejiadigital.net/4a30/
also
http://169.61.9.157/v2/iogkxow886/
SHA256s for Epoch 1 Payload EXEs seen on 05/21/19
bbb17749e7d4493a06e557a500eefd2f3472439ca955d2b2f74367c431d39348
9281bed7f99d4dc0c5066c7437bf66ef884b22e3c64386b60ba120ee7600fd71
1da42da7db4625dc10cc670638d2ec0f214173b4e2feea0828236de9b6683e5b
4cdc642df81767d815fa348ad81f7804678ee15b47785f2056d5818b55700c7a
Epoch 2 Payloads by Document SHA256 - All Times UTC
Creation Time 2019:05:21 15:38:00 (Attachment only - DOC Based - ENG - 365 Blue Box)
SHA256:
0bc575f2877b8823c88e054f060f9615f107f667ad9b3ab7ef81342257f62ae0
7d90829f67ffeaa277c1f148853d1bc8029b50061fcb67f954794ae02da8e6d5
005031fa9bc41b117502d84a3bc07e4d0dcdefad19bceac8d55f982628b66497
be426ab8a0fd5fa32dbd356f2cf9ffb1f470c11f521bde62bf1130c6b4824a93
http://tataaquila.com/wp-content/VnZCUGsIx/
http://quangcaobanghieu.vn/wp-admin/mnxcr_prcplofs-543418/
http://entertech.pt/ftp_sat/pfd770s9cd_tv21zy-3/
http://mentes.bolt.hu/zscf/ZnHNjKBqK/
https://midnighthare.co.uk/joomla/qCwEdMNIU/
Creation Time 2019:05:21 11:29:00 (DOC Based - ENG - 365 Blue Box)
SHA256:
728d0def3186dc60e0b0ae365fe750930be37151b1a1e8165a25288026dd2b16
18cfb63256920dbdbfb323029eefefb87868d876d3a3e20374c78bcb36912222
d3be1c51eb2242f7e9075192475a9c79797f2444ff427ae31ae7d98323cbe6aa
1fed16048c546058c202c2e4ac47e2724345734bc81e2ddd417470bbde6a458b
65c01a898852e52de112235be2f89cbbe01875ec22602fa5b8759d1a6a99e074
52478e946ce21f5575e44e8ca7eea3fa4bc19884766d780b4d1c86008968de59
4aed490385893bc87057809f30522a8bd1f5fbb1e98228eacdaea0c7b32db406
b2d41d179fd265f8c043a1e1320dbd29da3cc2f969b0608843c3ec8461aea9c1
88972b986e79467a4922b16b7e8de50e325535a0f75e480fef2b4eb883fbe87d
5dc74367c0888088fb09a1a4528071ed03d5a911f49b77278c2768799494e42b
9e76fa48088b08ad51c00814310c9e18c11de27b79dd3655252c371c13d646d3
ab56d467250815ce59a4e180f4a1fce5e5b3dca9765e3efb63f42fddc16ab441
bc53b88dd6f5907e4d225bf3bdd87dd0446ca9801f23b4f723b40a01df00217d
43214f8a94c8b6ab6e615e19deee6da3f3f1492e090cbeea4c216ff17d3cec7c
3fd03f7835e04318c0d189ed5125ce9bc8e593513bdf47b25c86c2543a4e119c
d3ac2a40b74f11795c013911171f27ae3cc66c23fb836105b3417e93c8d6530e
3107bec7fa6f9a0def69ab8138e924f921d8434e9e07b4aa0aed8e5473a34ced
07c5f5aa86e104945318cec323bf33c2b8f3075be7faa05c819c87c7b5d3d84d
c3c972f236a7821a015c19783efee3001cab85beb0be4d321eecd6892b35f4dc
fe0a4235cacb127cdd5a233de289afd77aaa9466beab667fe94277cd1b0d6dbc
5eddaa7d2cca79266cb9f5a6cddf70a70c9b4c970289f6956969453f10cd3d0d
47656e32b028df9497bce411005c7694d400656330c94071b4ac073928654378
751d2fb9c58cca3176b5a0052b76ed9943ca49fdfba93624162a2934ab79e070
9733c729501430b4d4df9ac843c4ee8e700fb9986e3e0084c450a8842f8dbc80
7df44517d6b3d9c8f96b5eee9ec19bdb9ef9a9fec10df254878a8d97c7acc590
8a1268300ed1420980b983cc13772eba3468ed2dbefb1da04fe86222bec651f6
789a0c9cdda263bb30fd3ef55ca52f8a13ae62e48e411777bc2d743ffe32c1ed
9f7521fc26126b288e5680cc9e5f4d5c48b2cb0f00330e1c967cc19b43544a5c
3cf84933b09c7ba41dc44c87d7d25ab09bb483e9a65c61419533ca390ceeedf7
82b442d216bf026aaab691c10d73e9728b018985ab8836458d8eb7c0717e8431
56c3ed80ab25a9d8f9be95a185904784cb4f3317ebeba195c74e411374cf38a9
9b5dabab677cc2e0ea7c151f246e4c9591d51a04ce590fc079eb1666cc44f1b7
884ce8c4a4f79ad45ee76097b8574455992f335d468d3dc39b2da7230800db54
1f9135d4728db1169f5b2c9ca06799ee283292f4ec89e1297f97a281dd72ed9f
7ab11f10f3e8c44689c783fa8a81a4cb8198c8c4c590ee3b8a7098cfab26926d
2eec2788ab92c6656545389dd8870c596083c10f9c7de05e410ed6cc88996f1b
e37911f348a0646d43bbd18ca495938da81550e77bcce2fdf6825ad4983746d7
0c8195dc142129c79c44a0cfd36ad7e7107a54bdb3fda3dfce49ea4ef4ff7f15
c7fc9b8dac0a223d3dc280f2a3b161b2592304a055a1f6c9dcb385e329d44a4b
b7c866e1206e59ccc9331f6bc979987fc8d4039e986d05591ba8d1080a77bba2
fd07b84f52ac3c5692366db8c7fd6f7915062e311a26192c079c39990e38eddf
4058c92ce66ee6c95a068c47aa7c881305e2e84ac60d8b8f52d0735b42605686
b570f6b13a46f9cd00bfeb5898b0789778a1af9853838cf09a969794f0f271b4
e3a0c9da4600559e06487c241e247cd54062c0dc80e05a5554229213494ec110
72306a55d75df63a03d274eba3eef0568b5882f0e84fbc9969e85dc5ebf81358
31191c4cb6466678da508d0481f4dff50402262c264047215850d74eaaa4ed7d
c70342a18c7acb9fcee47653f65d5fa6adc363ae35c94db9092c85a3c5e049ad
76458b834de22f4dff0ef5087e8ce583339ff73fae4018094b371b281c3bb5c7
192150e5d5005d3650f182bea9365cbb4a6cc50b57f72f48705f5c905e228554
f1d8695c5978de94a912c3951bb5529653bbfd2852a913264a8486e9620284fb
http://mireiatorrent.com/wp-includes/bj07f0biw9_0sj91efi-0/
http://msograteful.com/codImwUJbt/
http://escoder.net/cgi-bin/OmrZcAEqS/
http://priyainfosys.com/products/FSrnZTOgOA/
http://llona.net/bqi776dm_agvux-6816533798/
Creation Time 2019:05:21 07:46:00 (DOC Based - ENG - 365 Blue Box)
SHA256:
739add20d743a8d00b6fc26c0e0985b6876748fe5fee82b81c62b49cb151f571
f3a34ec584abd1dcdad7c65782cba7b633124e29a05649adb97b0e6492f37e4f
28b9a555d40cbe24c10a99bb5f18f99a26bac4d6ae19c80b7eb07cfa2c1466af
a044a40de89da2345b2ebe7ba33c7cfd51693afc8e070bbb90158f4a21be57a6
6a1449aa4e7284a079bd98df27e9a86960108a897f0f7a785e769d94744a93c0
d53204c2b76437fa76c196709795ca2a123dc8fda1815b38d95ddb98b274176d
a6df8746b9d74d6fdd4109d3b81acce0399c6c3f8104a074d171eb8c4b09ffed
7c579c44bc0dfdbf7869860b97621b3a2da7d2e7a99f8c1faf944f76b0c9cc8f
31d241738b7f029d100af0d13b0822647caf41e507612398ce3c5017c67532e2
448747e9b705f47ab849ddf077736650b0e45ce63e7e42008a31d71228e3e793
5c0e8c8cb4b045e9683ca8f2e266b1fef7e1240fc1e3059e876c273745ea1592
0d916a1d131df981f5598d9f98538a2b637e8d924a40fa541c1bbe2852615df0
55da62fdf470a46c62d6189c5f83b709563510689c96b67136c15ca6411aa845
c9d6408f645ddd2d73c96d56ed1a6ed7fa1be5d10062ee76bdb88da1b6db6056
be4c3f33dfd43a0a47857c13cbab9d0fc05e10a94e1ab58553d8553de3634a0b
335a5fd3eca63f5a2fdd5496da37d5bd954bff56610be700434521b827ee1105
https://mobilizr.com/slagmite/vfao_7pkco0lob-674967226/
http://mmesupport.com/upload_docs/7qnxu0_on92iv5o8u-07294/
https://miv-survey.com/ws/xz8yftcm6t_bdxduwga3w-3/
http://moolo.pl/pub/NauVcJcbPH/
http://mstation.jp/2004christmas/ybgiax_c3bk83e7-33621494/
also
https://www.slagmite.com/vfao_7pkco0lob-674967226/
SHA256s for Epoch 2 Payload EXEs seen on 05/21/19
5043fefebe7b86a1f6c9cce3851198c9e57ec13bb20a092def794eed67520648
51465a36762cd888020e933c9ecd34d8834b38cb424616b5ab155c50791bcf79
e53bde18c9de202dfe978dfd02a456fae1d1db6188491841fedadc306b10d68e
Epoch 1 C2s
103.201.150.209:80
105.224.171.102:80
109.104.79.48:8080
109.73.52.242:8080
110.93.196.197:80
111.67.12.221:8080
134.101.222.153:80
159.69.2.128:7080
163.18.23.242:80
175.107.200.27:443
181.110.239.26:80
181.143.101.18:8080
181.15.177.100:443
181.15.243.22:80
181.16.127.226:443
181.164.227.212:80
181.198.67.178:20
181.199.151.19:80
181.211.130.109:443
181.29.101.13:80
181.31.49.178:80
181.39.134.122:80
185.129.93.140:80
185.86.148.222:8080
185.94.252.27:443
186.71.75.2:80
186.86.177.193:80
187.178.9.19:20
187.188.166.192:80
187.190.237.104:8080
187.242.204.142:80
189.196.140.187:80
190.113.233.4:7080
190.117.206.153:443
190.123.35.82:50000
190.147.12.71:443
190.180.52.146:20
190.252.229.53:80
191.97.116.232:443
192.155.90.90:7080
196.6.112.70:443
200.107.105.16:465
200.127.0.8:80
200.28.131.215:443
200.32.61.210:8080
200.57.102.71:8443
200.58.171.51:80
200.80.198.34:80
201.251.229.37:80
203.25.159.3:8080
205.186.154.130:80
216.154.222.52:7080
216.98.148.136:4143
217.113.27.158:443
217.199.175.216:8080
217.92.171.167:53
218.161.88.253:8080
219.74.237.49:443
219.94.254.93:8080
23.254.203.51:8080
31.179.135.186:80
37.59.1.74:8080
43.229.62.186:8080
45.73.124.235:8080
46.21.105.59:8080
46.249.204.99:8080
51.255.50.164:8080
62.192.227.125:80
62.75.141.51:7080
62.75.143.100:7080
66.209.69.165:443
69.163.33.82:8080
71.244.60.231:8080
71.43.69.2:443
72.47.248.48:8080
79.143.182.254:8080
80.0.106.83:80
81.143.213.156:7080
81.183.213.36v
81.213.182.115:8443
81.3.6.78:7080
82.226.163.9:80
82.71.157.57:443
85.132.96.242:80
86.155.233.74:8080
87.246.58.59:80
89.134.144.41:8080
91.205.215.57:7080
91.83.93.124:7080
Epoch 1 - Spam/Stealer C2s
<not updated>
61.92.159.208:8080
104.236.185.25:8080
50.116.63.9:7080
Current Epoch 1 RSA Public Key
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAL9KRKWqcld40xbUZ6hRh+fPNkgJe7K+ 0y1rR0UFqc2SBmnyoR/2Ctd+8MRvU8zri2eNVkVBxCUH1Cthf3AEgRqY2kGva8gJ Wcqls3j7RztZzqFoL+wM9DNnz/OWuiyPAQIDAQAB
Epoch 2 C2s
103.11.83.52:443
103.53.44.20:80
104.236.206.44:8080
105.228.3.127:465
109.194.50.231:80
117.218.17.6:990
134.196.53.52:7080
134.209.14.155:8080
136.243.177.26:8080
138.201.140.110:8080
147.135.210.39:8080
162.243.125.212:8080
167.114.210.191:8080
169.239.182.217:8080
174.136.14.100:8080
174.96.5.251:465
175.100.138.82:22
177.230.108.144:22
177.242.202.30:8080
177.242.214.30:80
177.246.193.139:20
178.152.78.149:20
178.62.37.188:443
178.79.161.166:443
179.32.19.219:22
181.129.30.82:80
181.175.142.212:990
181.189.213.231:465
182.176.132.213:8090
182.176.94.236:20
182.188.47.206:990
183.82.100.135:80
183.82.110.170:53
186.113.19.171:80
186.4.167.166:80
186.4.234.27:443
187.177.154.167:990
187.189.195.208:8443
189.154.42.168:80
189.209.217.49:80
190.145.67.134:8090
190.147.53.122:990
190.25.255.98:443
190.25.255.98:80
190.72.136.214:465
191.92.69.115:80
2.50.4.159:443
200.21.90.6:80
200.85.46.122:80
201.199.89.223:8443
201.220.152.101:80
201.238.152.20:465
207.44.45.27:22
211.248.17.209:443
211.63.71.72:8080
216.98.148.156:8080
217.13.106.160:7080
222.214.218.136:4143
23.95.95.18:80
24.139.205.186:8080
41.220.119.246:80
45.123.3.54:443
45.33.49.124:443
45.55.201.204:7080
46.100.165.6:53
46.105.131.87:80
50.31.0.160:8080
50.99.132.7:465
58.9.168.7:443
58.9.168.7:990
59.103.164.174:80
62.75.187.192:8080
64.13.225.150:8080
66.84.11.168:8080
69.251.12.43:80
69.45.19.145:8080
71.244.60.230:8080
73.189.66.63:80
74.207.227.96:443
77.56.253.112:80
78.186.5.109:443
78.188.7.213:8090
84.241.10.111:53
85.104.59.244:20
86.151.202.16:20
87.106.136.232:8080
87.106.139.101:8080
91.205.215.66:8080
92.154.101.154:50000
94.76.200.114:8080
95.128.43.213:8080
98.142.208.27:443
98.144.73.193:80
Epoch 2 - Spam/Stealer C2s
<not updated>
198.58.114.91:4143
213.136.86.219:7080
91.205.215.10:7080
Current Epoch 2 RSA Public Key
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMPLgcO0RQdJg/LTgiku57nH4KcLwHCx S0lbynOUhHhKjTnmENrMA2idUbK6hI0JRZtii9oJSlb3e5NZiCK+Qr/NB2u7ZNRc hG87aibm0ndS9xKDRXcmWwaQkF0PFuOHpwIDAQAB
Credits and Notes Section
WARNING - Some links may have been taken down shortly after I reported them to URLHaus.abuse.ch because they rock and report everything to ISPs as it
is confirmed to be malware. Additionally, this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
https://pastebin.com/u/jroosen
NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
I am providing them for your benefit in case you want to parse them to be sure.
What is Epoch 1 and Epoch 2?
What is Epoch 1 and Epoch 2? (updated 03/07/2019)
I have been tracking Epoch 1 and Epoch 2 since May of 2018. I called them Epoch 1 and Epoch 2 because they followed a different timescale of
payload updates and history. In short, Epoch 1 and 2 are two botnets with distinct C2 infrastructures with separate RSA keys for communications.
Epoch 1 is currently the larger of the two botnets(MAR 2019) and I think it is the main push of Emotet currently. Epoch 1 WAS a smaller more
rapidly changing version of Emotet at one point in the last half of 2018. Now Epoch 2 seems to be the smaller of the two since this time period.
This seems to change back and forth over a 6 month period. Despite having unique unshared C2 infrastructures, these two botnets have been seen
to move bots from one to the other and show similar behaviors seemingly controlled by a single entity/group. E.g. going on breaks at the same
time period.
Here are some observations I have noted since I have been watching these botnets:
- Checking a document download site from Epoch 1 will deliver a document that is different than what is being delivered at the same time on an
Epoch 2 document download site. Specifically, Maldocs on Epoch 1 will have a different document creation times and payload quintets than those
being delivered in maldocs on Epoch 2 at any one time.
- Document hashes change very 10 minutes on both Epochs while distribution/spamming are active.
- Document download and payload URLs tend to become orphaned as templates are changed out and they age. By 72 hours most are no longer updating.
- On Monday's of every week a new set of document download sites and usually templates to accompany them are generated early on
Monday morning/Sunday night.
- Both Epoch's may share a host for binaries or documents but NEVER the same directory. Eg. Epoch 1 may have an EXE in directory host.tld/A and
Epoch 2 may have a document hosted on host.tld/B.
- The RSA keys will change every few months so for C2 communications on each Epoch/Botnet.
- Binaries for Epoch 1 payload sites are different than the binaries for Epoch 2 payload sites.
*- Binaries used to change hashes every 15 minutes to 2 hours but now (3/6/19) are changing every 5 minutes on distro.
- Each binary has a hard coded list of C2 sites unique to the Epoch it was derived from.
- C2s are never shared between Epochs/Botnets.
- Both Epoch 1 and 2 seem to go into "break" periods at the same time for several weeks. During this time binaries are updated every 2-4 hours
via C2 to stay ahead of AV defs.
- Spamming activity seems to cease on each botnet at around 00:00UTC each day. It usually starts back up around 07:00-08:00UTC each day.
- Spamming usually does not occur on weekends and the Emotet team seems to take weekends off.
- The easiest way to tell what botnet a sample is from, is to find the payload and then check the C2s/RSA Key. HINT - CAPE Sandbox makes this
easy now, use it! Thanks to Kevin @CapeSandbox and @pollo290987!
- Changes in behavior are often deployed to one botnet and then to the other as if the first was a test. This has been observed for obfuscation,
spam template, word template, document type and even payload.
If I think of anything else to add or if anyone else has any suggestions, I will add them here.
Community Lists
Alienvault
https://twitter.com/SecSome/status/1130907545290383360?s=20
@JayTHL analysis of domains
https://twitter.com/JayTHL/status/1130705185691590656?s=20
Credits
(OC from @JRoosen and/or combination work of the following)
Doc DL URLs - @James_inthe_box, @unixronin, @abuse_ch, @JayTHL @dms1899, @avman1995, @pancak3lullz, @pollo290987, @malware_traffic,
@0xtadavie, @Bitterman59, @devnullnoop, @Bauldini, @baberpervez2, @executemalware, @jcarndt, @gorimpthon, @Racco42, @papa_anniekey,
@Jan0fficial, @shotgunner101, @HerbieZimmerman, @Outkast_TI, @ps66uk
C2 info/RSA Keys - @unixronin, @CapeSandbox, @sysopfb, @pollo290987, @MalwareTechBlog, @ps66uk, @JayTHL, @malware_traffic, @0xtadavie,
@devnullnoop, @gorimpthon, @Racco42, @Jan0fficial, @lazyactivist192
Payloads - @bigmacjpg, @decalage2, @James_inthe_box, @MalwareTechBlog, @ps66uk, @dms1899, @avman1995, @unixronin, @pancak3lullz,
@pollo290987, @malware_traffic, @JayTHL, @Bitterman59, @devnullnoop, @executemalware, @Bauldini, @jcarndt, @gorimpthon, @Racco42,
@papa_anniekey, @Jan0fficial, @OguzhanTopgul, @HerbieZimmerman, @lazyactivist192, @TrendMicro
Spam Templates - @0xtadavie, @SaurabhSha15, @devnullnoop, @raashidbhatt
Special thanks to @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and
helping out with this!
Very special thanks to @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project https://github.com/decalage2/ViperMonkey ,
@digitalocean, @mploessel, @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch,
@urlscanio, @TrendMicro and @Virustotal for providing services/software no charge to this cause!
Daily Log 05-21-19
Again no sign of emotet to me today in UK.
E1 running as DOC attachment-only again; observed hashes drawn from anyrun and hybridanalysis.
Given there were 87 observed hashes in E2 DOC, there are likely additonal E1 hashes out there
After 250 URLs delivering 87 DOC hashes, E2 snuck in a DOC attachment-only run at the end of the day; observed hashes for latter drawn from anyrun and hybridanalysis.
Limited updates to both epoch EXE, 3 copies of 74k each.
A big thank you to all those that report #emotet, via Twitter, URLhaus, URLscan and all the sandboxes
General News:
<>
REVIEW:
If you didn't already see it, there is a very simple way to defang these ZIP/JS attachments or links. Just change the Explorer association
to open .JS files via Notepad.exe. You can follow my instruction here in this Any.Run:
https://app.any.run/tasks/81503633-0f95-48d4-bd80-c83ec5c2b763
or you can do this via GPO. Here is a nice writeup on this process: https://montour.co/2016/09/group-policy-force-js-files/
I recommend you do this because .JS malware is very 2016 or even earlier and most users never need to run .JS or .JSE for that matter.
You can likely throw other extensions into the same configuration and @JayTHL had a nice thread discussing this here:
https://twitter.com/JayTHL/status/1126204098670411779
Email Template Report:
Generic templates on the most part, the usual body text listed below.
Review:
What we know about the threaded templates/reply chain:(changes are marked with *)
- Emails are sourced from once (or still) compromised users all over the world.
*- Emotet injects a reply into a real email conversation thread between the compromised party and another party that replied
to the compromised party on or before Nov 2018 until at least March 2019. (may be up to present) Also have seen emails going
back as far as June 2018.
- Now on E1 and E2.
- Now seeing German based templates that are essentially the same thing but in German.
- The injected reply is usually prefaced with the following:
"Attached is your confidential docs."
"Attached please find the wire transfer form."
"Thank you for your help. Please see the attached."
"Load instructions attached"
"A printer friendly attachment is now included with each email."
"Click on the attachment to open or save the printer friendly version of your report."
- Both attached and link based delivery of the maldocs/ZIP/JS have been observed.
- Attachments seem to be in the filename format of *_Month_DD_YYYY.doc/js so far.
- The link is customized for the display text of the link to show the real domain of the spoofed organization.
- These templates are pretty limited in run and not very numerous.
Link Regex Report:
Regex directory patterns
E1
*https?:\/\/.+?\/(biz|com|net|sec|sec_zone|secure_zone|seg|US|ver)\/([DdeEgGnNsSuU_]{2,6})\/(accounts|anyone|logged|myacc|sign)
https?:\/\/.+?\/([DdeEnNsSuU_]{2,5})\/(ACH|Attachments|Clients|Clients_information|Clients_Messages|Clients_transactions|Details|Documents|Information|Messages|Payments|Transactions|Transactions-details|Transaction_details)\/([0-9\-_]){5,7}\/
https?:\/\/.+?\/([A-Za-z0-9]{4,5})-([A-Za-z0-9]{14,16})_([A-Za-z0-9]{8,9})-([A-Za-z0-9]{2,3})\/
https?:\/\/.+?\/(trust(ed)?|sec|verif|public|secure|open|verif_seg)\.([DdEeGgNn]{2,3})?\.?(logged|signed|accounts|myacc|sign|anyone|myaccount|accs)\.(resourses|docs?|open_res|send|office|rep|public|sent)\.?(net|com|sec|biz)?\/
E2
https?:\/\/.+?\/([A-Za-z0-9]{4,30})_([a-z0-9]{5,10})-([0-9]{8,15})\/
*https?:\/\/.+?\/(administrator|assets|blogs|cache|cgi-bin|css|DANE|Dane|demo|direc|Document|DOC|Dok|DOK|esp|FILE|homepage|images|INC|Inf|INF|js|LLC|lm|paclm|Pages|parts_service|phpmyadmin|Plik|PLIK|public|Scan|sites|test|themes|uploads|wordpress|WP2|wp-admin|wp-content|wp-includes)\/([A-Za-z0-9]{7,32})\/(\"|\n)
https?:\/\/.+?\/([a-z0-9]{4,7})-([a-z0-9]{5,7})-([a-z0-9]{4,7})\/
NOTE: If you get a lot of false positives, try adding (\"|\n) at the end of some of these after the last \/
These Regex patterns are to be used experimentally and at your own risk but they caught 95%+ of link malspam.
Payloads Report:
E1 emails would seem to be attachment-based only, no sign of active URLs.
DOC hashes above were drawn from anyrun and hybridanalysis.
E2 emails about 250 URL, and that was just from two sets - the third E2 was attachment-only, no urls found. DOC finished updating ~20:20
E1 EXE - only 4 hashes observed, three were ~74k, one was 14k (broken)
E2 EXE - only 3 hashes observed, all ~74k
This 74k EXE seems to be a V5
C2 Report:
Combining C2 from all E1 EXE gave 90 unique combos in total. - recorded above
Combining C2 from all E2 EXE gave 93 unique combos in total. - recorded above
Closing:
I am out of office for next couple of days but will get the key indicator lists together
@ps66uk
TT
Sandbox 05/21/19
(all with fakenet and MITM unless spam/secondary infection)
Epoch 1 C2 run on 2019-05-21
https://app.any.run/tasks/a720cac8-b419-49d0-ade5-3e9a1c40f23a/
https://app.any.run/tasks/5a3ad520-0643-4d7c-a616-762fd07f517e/
https://app.any.run/tasks/caea02b7-8711-44f3-954b-8ec838862cf0/
Epoch 2 C2 run on 2019-05-21
https://app.any.run/tasks/221ca6b3-5303-4ee0-8d04-d09d72f2c813/
https://app.any.run/tasks/0aae5596-2f41-4555-9447-9d085d186e8a/
https://app.any.run/tasks/bca47fc4-5935-450b-97a3-a9cb7a84ead3/