Emotet Malware Document links/IOCs for 05/27/19 as of 05/28/19 01:00 BST
Notes and Credits now at the bottom Follow us on twitter @cryptolaemus1 for more updates.
Epoch 1 Document/Downloader links seen for 05/27/19
<none>
Epoch 2 Document/Downloader links seen for 05/27/19
http://4gstartup.com/wp-content/EcDShrgXVzeaLHBJCOvU/
http://9adhity.com/wp-includes/Scan/lRdGqCxAIrblhWESpHJPhgiMfXAtF/
http://aamihr.com/31gy/eyf7u6-zhnup-jlhmdu/
http://agendaportalvialuz.com/toolso/esp/UVhjSwRhmYVfz/
http://albaniadancesport.org/wp-content/Dok/rWQHTbUYAeEsjhwrrTe/
http://alilala.cf/wp-content/INC/djz70j6mhrk4yff5f61db43_ozvt5p1-9291484302/
http://alitekinture.com/wp-includes/s7k3kh-4u4w7-uemc/
http://amazing-hive.com/wp/soyhQYLjmVOQbK/
http://azademomeni.com/wp-includes/dof2qr-phob4g-rfskn/
http://babaldi.com/wp-admin/vxyotqAtXAwbIe/
http://bccparis.com/wp-admin/qgf8n-b5kzd1-fury/
http://bk18.vn/en/DOK/08pzhnws66s08gbalrn6_2tcbz-2122403090641/
http://blog.appnova.com.br/wp-includes/DOK/YKapwAYMQitjn/
http://bonespecialistsinmangalore.com/b228ac/parts_service/zeKZGHvhqOlxvjUfJygx/
http://buildinitaly.com/domina/o6d1f-lbtes-holaau/
http://c30machado.com.br/wp-content/fb57-tteb8ym-tneb/
http://chicagolocalmarketing.com/cgi-bin/wnicd-l5r1u9-npwkh/
http://chiolacostruzioni.com/cgi-bin/0wai-mtfi7l-askvo/
http://coinhealthchain.com/wp-content/uploads/06yjjn7kdl6l3xplgsz_ty3r336-304299399/
http://completervnc.com/wp-content/ymoin-u42vzb1-sdjlzmr/
http://connectingthechange.com.au/wp-admin/ul8i169at68cvy1qpq1cyrnc_byf6m0u-24772763363/
http://cosuckhoelacotatca.net/minhan/IkjKWSOUwiJHOlKRAFnNRfQk/
http://cuijunxing.cn/wp-content/opuxfo4w52dxan_2kc3kikf7-121850386/
http://cuppa.pw/cgi-bin/DOC/nko4p1i6pz8n9icohfnugu_jqjsl6-040530923/
http://dangdepdaxinh.com.vn/dangdepdaxinh.com.vn/LLC/ORqoiFwFdlG/
http://darelyateem.org/themeforest-15019939-alone-charity-multipurpose-nonprofit-wordpress-theme/eprs-e3i2g-tcfnp/
http://dehydrated.sk/cgi-bin/sb1iokk-orl1dl-mypjs/
http://diamondbuilding.ir/wordpress/scofx-cvaqk-rjoqh/
http://dorsacel.ir/hgtu/o39uim-72lwtdh-bohpef/
http://drevodomtrnava.sk/calendar/Scan/yocok97cqnxi4_qzlmu-7196932503349/
http://duneeventos.com.br/errors/parts_service/w6t6qaiz2ao5hdeihro85b7v9ygg_j8gzk8-0877668373841/
http://edgingprofile.com/wp-content/Pages/vclRwfiuWAlpd/
http://eiba-center.com/test/lm/OaFHHlsTmxnbQGWuvHzB/
http://escuelahygge.com/wp-admin/PZhsuipgoselHFtHoHJgeOmLEfrC/
http://evoroof.ca/wp-admin/FILE/cuttvcid9_1qyz9zd6u7-654236407228552/
http://excellentceramic.com.bd/wp-admin/FILE/39s6ehvlsjbm_2rgd9ksu5-80904262/
http://exclusiveprofessional.es/limpia/xuwfzt-x8h5rq4-qornws/
http://exitex.ir/wp-includes/kqgglk-mpn14c-gqpouhx/
http://gamesbeginner.com/wp-includes/0dv2t-fp31q-eflz/
http://glugaz.com/wp-content/Dok/c6p92o69r4mvpn8_ca5x1-17553174168899/
http://goodchristianmusicapps.com/fmk3/5waz3n-xi5ul6-rfohbzs/
http://hayphet.net/upload/esp/hJoZssutpyHvLLJLyfzpmbGHc/
http://hennfort.com.br/install/INC/x500k2dhhhbwj3nce7_m2azj32-120971439204/
http://hpardb.in/wp-includes/Pages/IRbHlHidEB/
http://jespositobuilders.com/cgi-bin/gyirk-1ifhrm8-saxk/
http://jidovietnam.com/wp-content/INF/bzxr94dhp6rjepv6voxg9896_4uqc882-41329293458537/
http://juice-dairy.com/wp-snapshots/esp/SKYosMhiUfKLYVDlG/
http://khambenhxahoihanoi.net/wp-includes/eygGQMXm/
http://kiaristore.com/wp-includes/Pages/XtrNaHJIxzthfaBmsBn/
http://kihoku.or.jp/wp-content/uploads/2019/esp/NYHbJzbZqfXvKMWZcInRZSYiPh/
http://kimia.fkip.uns.ac.id/wp/DOC/unntsx9ecvy5b16nq_jlursbntd-055048999/
http://laboralegal.cl/wp-admin/8ycb-7i9zz-xuak/
http://lacvietland.com.vn/wp-includes/ldgc7ix-6i0100-hujxrgp/
http://leplateau.edu.vn/wp-admin/lm/CTVGxZjmd/
http://leplateau.edu.vn/wp-admin/YSyJnDPQrT/
http://lifeed.de/wp-content/1kfkpauhyaf2yd1nwuwaf5qi_v9srucd-660134982176753/
http://linhviet.com.vn/wp-includes/parts_service/aUfWTZqEDJIP/
http://losethetietour.com/loseadmin/k8gzn62-mqdrst-vuvla/
http://maisgym.pt/wp-includes/FILE/g23oabnx0jy_btnrqhf-66878754808/
http://medyalogg.com/wp-content/ai1wm-backups/6rrxg-9wtfibb-rerxue/
http://mettaanand.org/wp-content/sh9b0-lq00ib2-pter/
http://miazen.ca/wp-admin/paclm/kRwyqqHS/
http://miff.in/media/0qm4oiueyca943tcx0p6_9wsd9s5-58679980857319/
http://mitsubishioto.com/us/jia1bh4-u7ypk91-gblhvsy/
http://moldremovaldir.com/best/LLC/qVqrFqOLodvXfqu/
http://moneycomputing.com/eebd/esp/QIbgHKbS/
http://mpc-tashfarm.uz/wp-admin/vvzbry-wjcfp-mwnnli/
http://musicaparalaintegracion.org/wp-admin/zpgymbg-obdbf86-vkfumx/
http://myanmodamini.es/test/DANE/bfjanvjzx9jr9hwmyp_n1kg6pd456-572762923/
http://mybionano.com.my/wp-content/tlfost-g0z7jp6-rzxe/
http://ncoimbra.pt/31e0/xNFUQMwLjMFwjXKMPbWr/
http://noithatvietsang.com/wp-admin/paclm/dx21b8ky4if32bsm33ge_6yu9abf-752139119288865/
http://observatoriodagastronomia.com.br/wp-admin/DOC/MHcAEqBDMskWKIMMzLnLyVxomhgRSF/
http://ofoghmedia.ir/wp-admin/10ia-qrc01mq-nzcxud/
http://okotect.hu/wp-includes/v37i-nbezypb-zqrmm/
http://olavarria.gov.ar/libroolavarria/vrm9-cxviupl-iibwyp/
http://olavarria.gov.ar/libroolavarria/ybgko-408txdb-pxlgyue/
http://oneandlong.com/lib/0ceag5v-54dlheg-erzwec/
http://onepointlead.co.uk/wp-content/sites/UrbnLwMJzvVPezk/
http://onlinetech-eg.com/wp-content/Scan/zGAvHgAfywXtxcNRO/
http://paratoys.ca/wp-admin/djhs-fhtxyq7-hhma/
http://pastliferegressiontraining.com/wp-admin/9qrb-fgxoye6-qxwkc/
http://pazarcheto.com/wp-content/LLC/MTJdRFOaitlxNOsJLcR/
http://plantasemsintropia.pt/wp-admin/zgpZjKHIHHRMEvIwyrxo/
http://pleikutour.com/wp-content/oy1pvk-ffdpjq0-lkck/
http://premiera.ks.ua/wp-admin/bdhjhs-67gnq-lfhztb/
http://probright.com.kz/wp-admin/Document/8by83mzxt4khf37wbts69gch_93ufqgb-63345467/
http://puebaweb.es/jacpublicidad.com/tiCbJgyGXBclYCRc/
http://pyneappl.com/wp-admin/gwtpmig-513ir1r-bbut/
http://qgproducoes.com.br/wp-content/kKFNpQGTDxQbIESKNKOMYfYxibU/
http://radiocristianalatamat.com/images/NkjWzloy/
http://radioexitosamorropefm.com/cgi-bin/bfv5m0ev19rwchzr0_pzn5g74tz-02210026680/
http://radioplatonic.in/wp-includes/u7fc-vozs9af-ddljql/
http://rentacarzagreb.hr/cgi-bin/PLIK/sExDZJumYItjOOkH/
http://ring-lights.com/wp-admin/Dok/mxklxCphRhXwTHHosOBtnPfY/
http://ruposhi.com.bd/wp-includes/lszbg-5gjdav-nhsvy/
http://sanabeltours.com/wp-content/plugins/Pages/mehaqni5qa784z692jgd328f_5nbnk-197306416228165/
http://sboverseasonline.com/wp-content/DOC/lWYtcNdjJRmHdaGMKwJdRmzb/
http://shivodhayaayurvedaclinic.in/images/paclm/adpgdlHEqfvxzSQSsPlrLn/
http://shubharatna.com/wp-includes/jnpnea-4kqcc-mexjx/
http://sinlygwan.com.my/wp-content/uploads/paclm/EIhvRizHpqbUzExvNzMs/
http://sivayo.com/temp/Dane/zy3c819gt1spfn0p_fwguyv3e-284956729/
http://sjz97.com/wp-content/icyqrrKIxOYmFZRPXnVYFchH/
http://skipthecarts.com/wp-admin/4bij6-nze2ck-ioeyn/
http://slate23.com/slate/x3er-xu1tr-eafu/
http://squarebzness.com/wp-admin/f9w02o-tbqglh-dvkh/
http://startupbentre.com/wp-includes/XHRuIOzYOWtzbfQGxEjGtvb/
http://stealth7.ru/srdb/parts_service/0gnr3qr2skoc_wc2aldr7y-135360693431855/
http://streamers.gq/wp-admin/esp/OjmARJJsPQKSoHiG/
http://supervisor07.com/online.services/ufeg8zcqjqd2g5ihnhr4qujj_j8z8uiers3-9998816732233/
http://swastikhometutors.com/wp-admin/b7nxxt-emit7x7-djyzas/
http://swsociety.in/mlm.swsociety.in/c2j4v-7skx580-vmuy/
http://tampacigarroller.com/backup_310708/INF/dCrEFlMR/
http://techesign.com/wp-content/Scan/FzKuhBOJCzty/
http://termoexpert.it/wp-includes/sites/d5si3ubd66ibnxa9q4te66v5x3_anm7r2w92-488687709/
http://themeatemporium.com.au/wp-content/uvarhmvsf1c3cuzme7o0w9s99cm_7dxxr0vk-287036250048/
http://tmp.aoc.kiev.ua/wp-admin/d08gz-74s9ii-nsoxk/
http://tomaszzgiet.com/wp-content/lm/z8b8wdhwk3_zcncv8-21142307690/
http://tow.co.il/wp-content/INF/SnItxhJVMWz/
http://trackingvehicles.com.au/wp-admin/sites/rIUCgpvCNQXi/
http://twowheelhimalaya.com/wp-admin/parts_service/plen5yznydfl19w8rcpuq_k6ugfn-573589047/
http://ufukturpcan.com/blogs/tgcuujs-32uae-yrxg/
http://universidadvalle.mx/wp-includes/Pages/q4acky06cg95sm076k_aa5bxb-18808866/
http://usio.com.br/wp-admin/qqklf0-o35ps-hdgho/
http://valedomelfm.com.br/api/wp-content/uploads/xngrhu-258v82y-rwethzi/
http://vestelvrf.com/wp-includes/s2bb2th-sc4lim9-vlcjwra/
http://vinatuoi.com/wp-admin/2150b-yr0dj-jdznehl/
http://virtualfellow.com/advances/ulmy-tj6w4-atyda/
http://wargog.com/dubaja/7yofmt12abw5aysw24l21_qol0985y0-96067607644055/
http://webfinans.site/dii459o/paclm/o31h7rwjq3dv3yksiaude9_sumngt0mj8-06505197276/
http://winnersystems.pe/wp-content/DOC/KOtDEhCASNkpVwOFsrowmea/
http://woocommerce-pos.openswatch.com/wp-content/uploads/esp/lvexmwglehk533gjc078aayor808y_a8cjvpa-12062376287/
http://www.agromundi.com.br/agromundi/PLIK/pyCcKgLrTkKvHXPibtDQQgwRTP/
http://www.arifhajj.umrahsoftware.co.uk/ukt7/DOC/DAvRGdEHJesw/
http://www.hospitalitynews.it/r/Plik/c5uhht2lnixr2yr73w2d7u7qwz43_np4e6y42sq-6541773004946/
http://www.maisonmanor.com/wp-content/esp/n1mk8hgu_t43tw-725714268875/
http://www.nrbeautysalon.ir/15ov/7xr8rv-v8hok-vlwc/
http://xtremegroup.com.pk/wp-admin/nlqb-0hgcm9-cavgf/
http://xulynguonnuoc.vn/wp-content/Scan/IrFnLmDIzIvZUqcCHIZJJyxqFKhJ/
http://yingxiaoshi.com/wp-includes/Pages/f6g8uidw9c19xn1_0nfnj-266537909430448/
http://yourdreamsconnectors.in/bd86ed/0e3uqnu6wpj7i3yob_1vth70hx89-255338451/
https://30euros.eu/cache/Pages/mHKmbocLkHVpjrOdx/
https://ajkhaarlemmermeer.nl/wp-includes/olijv1-ipoq9-sfvo/
https://alilala.cf/wp-content/INC/djz70j6mhrk4yff5f61db43_ozvt5p1-9291484302/
https://btrav.biz/btrav.biz/sites/NnfaxxOyhb/
https://cicimum.com/wordpress/Scan/POKjdJTgTmLeVukwMStv/
https://connectingthechange.com.au/wp-admin/ul8i169at68cvy1qpq1cyrnc_byf6m0u-24772763363/
https://daylesfordbarbers.com.au/wp-content/Scan/d3oksyjpiel_hqqgdfh-7776351180551/
https://donghethietbi.com/wp-admin/lm/aRQkqmHLcCqVdOUcrQmZllwJvP/
https://dtbcreation.com.my/db4c/3ohq7l-yophdr-kkhxvr/
https://epaperbox.com.br/wp-includes/Dane/86lye99590_pzeem-855702386968/
https://gameviet.ga/bscw/parts_service/YFAwzsjbXBtALwhG/
https://gataran.com/wp-includes/0zshvdule0t72q2ids6cjpe6wps_r22izox1-13318428/
https://hirawin.com/wp-admin/sites/DLWCHOPbgnDAteVHZlHjrUKOhWoCm/
https://kimia.fkip.uns.ac.id/wp/DOC/unntsx9ecvy5b16nq_jlursbntd-055048999/
https://maykop-news.ru/wp-content/paclm/ag2tknctbs2bb2thhsc4lim9n5zm_kpa0lj-508963173/
https://quercus-boomverzorging.be/wp-admin/mf97-tj8yknq-namf/
https://remontkrsk.ru/connectors/EWrHkzuIylnxxjnjhcWDKntrzIEtm/
https://siteyap.tk/wordpress/FILE/ksPNshyopA/
https://smbdecors.com/u749472959.20190419185421/5da4axu-tn1tcbc-ndrds/
https://spinningreels.site/wp-admin/6xsqu7-ia5910-lbrvtzn/
https://studiomenoli.com.br/wp-includes/c4jd-oaue1t-wgkjdpz/
https://themeatemporium.com.au/wp-content/uvarhmvsf1c3cuzme7o0w9s99cm_7dxxr0vk-287036250048/
https://vestelvrf.com/wp-includes/s2bb2th-sc4lim9-vlcjwra/
https://vitinhlongphat.com/wp-admin/ech4h-gvw81s-psdo/
https://www.hospitalitynews.it/r/Plik/c5uhht2lnixr2yr73w2d7u7qwz43_np4e6y42sq-6541773004946/
https://www.twowheelhimalaya.com/wp-admin/parts_service/plen5yznydfl19w8rcpuq_k6ugfn-573589047/
https://xfgcs120.com/wp-admin/ohRreQbZfFoS/
Epoch 1 Payloads by Document SHA256 - All Times UTC
Creation Time 2019:05:27 19:49:00 (Attachment Only - DOC Based - ENG - 365 Blue Background)
SHA256:
e4cd26fa1a226d442f97af9c72c5ae2522e09d12a54c948ab47768feda72ae7d
http://uppisl.com/wp-admin/x60/
http://etcnursery.com/wp-includes/9nte5/
http://adeptacademy.com/wp-content/0774/
http://kaledineeglute.xyz/wp-admin/risat95535/
http://wbf-hp.archi-edge.com/zzuz/v93kfk8145/
Creation Time 2019:05:27 15:47:00 (Attachment Only - DOC Based - ENG - 365 Blue Background)
SHA256:
6f19a79a7b37f10b80862c56cdc133bc7c06a5e4f56562a625e0cdce5b185981
73e7765117a7e38a712104244e908f67e0b3394b3bb6c4761efd0bb6cd119bd6
51c6986f220ab7e9f98de68e50a623bbc09f934d03db174a9a769ad1815da483
790484f25518b41d77a6cedc9e93c75946ac8ac1ae93b0e9ebf8b4e4296ce259
70fdbdeb942321c65faabb720cd9d0b12acd919187b85955c3df7e62faaad8dd
http://websapp.jic-shop.com/wp-content/uploads/7ahj35/
http://www.4musicnews.com/wp-content/7c1487/
http://worktemp.xyz/abc/dd1753/
http://www.chinaipl.com/7htr/3355/
http://www.antoinevachon.com/jeux/zkan8610/
Creation Time 2019:05:27 06:41:00 (Attachment Only - DOC Based - ENG - 365 Blue Background)
SHA256:
f3e370982fc3003d10a94c83b15708b7813caf50fe1183b169d6e21b7235c167
f83076eff70331bb43898d41bf3244e78ead1239bc418dbb949a3b7f9dd7ea3a
e4da92272dddbbf3a1f4305b4cc8af03e85901e1e9ab989194382ce5db935341
d978acde3f8554e96f10c48f9bf6e1c466eacb57d1b5ac87e1b35312f786e4b6
2335ed397fd5097f765a2235202950dee2218d25484d58cf43acdf3c601b7391
6f04fa7270ce581ad03b84ea5e8366f6527d4e1982dc6a52878a400606e2bd2d
http://www.pnbtasarim.com/cgi-bin/somv25921/
http://www.ri-magazine.com/ri/l798/
http://www.grupodreyer.com/o3ao/7m0bj64/
http://www.adacan.net/cgi-bin/ln882/
http://veridiacommunity.com/js/gqf2b52216/
SHA256s for Epoch 1 Payload EXEs seen on 05/27/19
fcc80605c565b76da51c84133778be6e810d46e018b2f16eafbdafaf12c880e8
ff60d8d52a2def36356bfe2bac29c1a379abf2616346dbe719b34ac5afa783c8
bcf4e6fd784475aef28e0b1d6b399c067062d1b1d43ac5c6b845f856080b3c86
00025b6b4727f8630be66e51fb905aa294b42521051f6c1c39f6ce5f4cd47565
298699b5800847a45cf740ddf79d9ca1789fea1357640c590caad955b89cfa36
a64deae5ca3a7789777f80c20e69f5c7470167eeeaa4b136a52efa16ca81342e
20f4f1c5a3e262f4367643a8fab915f38883e343eda937a1374efbd522b520aa
34fd6c3136ae2d8fcbaa4de740bd85da4cfc254e6a927347e2dfbccd3faf90c5
b28d23f8b28423d3a02a1a45e2eead585aa529aa18536140d1fdc3e2a6684b45
795f879c81880a5495bc0be5094bb8751e5c6866dd11cbcafec8999e3d898c6d
0e11e41ac695ae56e610f2f93655ed149e9a2535b56b237b7e93d166febda6dd
c92e6adbc949f95db02754016ae34439a7656b925fb5b03434cbc6823814552f
2982b23f87e166f149e559d97d181c47110fdb05d3623fd57cfa7d107b815583
c00919157f054a3c554ca78e9ee0b202fc80ed8bd1a742ed8fd219a7f39423b5
dd5efe7b076a3cdd00448f84fa660a271d6e3594d32b608bfa758329e355ec50
f1a2838aa9f2a307d981ee00d4d807ca1e88b71a9dcfbbef3d20aed42791a760
e845e5c7d95b80e85fe3c3c1875ca165b2f033221b4255b313c40d4ff82d832f
3a8c1da3a66c4418eac04b492e97725ec5ba62142c2b5ef1e8d2781f00888437
d7223776ed392657ade990c0d81381cb1ae22e4ecbcd6973ec78ed304b5fa0b8
41790bc8b7fe069697072805a6e6d154bb97a4609b9f362c0fa087fdc5376b60
74804cdb9e5e5cd377380ae54c4f5cd3bda459c418b73eb6b3a30295f3634325
6a09861a73a09fece1ef58de678dae2a27edac4b346e1b4d2178716cf9310146
708baad02440648bea381fdb1b42833d6d7725d7bb9ab952227cb57eb073be87
5c50b35462e0ab808d13c5e046a1a032604fceaf58c6d4b21c1a492be8681358
b7e4e03269661e6496c068c30444438f9f9c7e7e77291988b3afaf5e22c7783a
5034683d786cd39e32409fc75b33027c11a9237051f27dbee5c4930211a9eeb0
6e1d7da594c697c1fc67e4ceb174f23b4b8b158bddb23da0eb74d2200d7623aa
aabf8ee1310709a4825711ba1b4ba004ac83124121e35fe262c00acaa41a6bcf
0ef7cce69fb78a49c928dfefab6ca7f52f078df92f2a724ccb449baa148a4426
d98f6a850fff5d03d0892939cde19ef09b7af56e88999c5ba646ff1c1d9a2031
7dc6f2f8607e7ae518edcbefc50c9e3a19cd262a69c7c97e7c6c2ecd6a4f4b12
b6f727926b2f07a17dea91aaf512c9c9b1a34c137f9fed31b11f80936014a2bf
8755a25da8bbcbe7a1810d708c5fe80984774fd88a61a601e5e33248c44ef3a0
2c9097c97f2c23b51dde87e35f2609ebef07406752d74c6a7c622b89ab18b6f3
27b4f68554ec7e7ea4c2b031fbe677b5bc4bb339d78b0e1a1b19aac2ef44884f
7fadd6ad906b68179c5ae2d37e9150c009217f6d522909c4a44794e62abbe75a
7e26f4f85edea3adf5728f8529381bf707a27d1ed36ac5ab94c014ef1e00962b
b7a7ed03a6c7177f0427c30594bcfbcb3fe942934dd8dbc768c7f116d6d60083
dff619682e9dc27e5c8c2d0f955be7b92c055355aa9a2af3e35adb112022c5ea
70883b3b5d8d8654e77572cb1292a0f55a555b28f32d97f872aa43308060ad3f
Epoch 2 Payloads by Document SHA256 - All Times UTC
(may be one more to find)
Creation Time 2019:05:27 15:38:00 (DOC Based - ENG - 365 Blue Box)
SHA256:
03b4b72d445400b2949040734d9c54d166f0425a8c0bebcd1e9db852b423a895
3cfee608c7a0462921b726ad6ad354f6a877407d3a5e32270ca69a0caba57365
a8b8c873950e6c2615cb249ecc1a51e141b576da0e6143b651463b133a1c7ed1
b1b1b740c51d7f714a6534611b2e59d5671b5b2bf73bf521f375b5e7df704a2c
40965451e9e2cd1496aa7e3cee53c2e9ab33fd02e04b71f473c828d5975cf077
c925200e40719b836afa8c119d94d6bd959e6bd1ddf7837584b99b8121b49040
859485efdd16118053fdb7c13a1381f30f7342a784e4eb2cfb1f66e1b6aae334
7cacd2caf280062b40a774b10fe861f82db96b3fa8752d23f67a9273416eef6e
0554578d280256208cc44331f9aecaea0ab7713e68492553977410b08695df39
f4658848d980d8efceb5f66d31cd8926f8f156061c74c955d85b1a4703b31dcf
12417c1365e17923a61f8a21c0108f6c9efb6270d8c8e6a3659d54680a97ae42
5491eca0548f4f368e5dd145df6a93d17054f4ea71b679edef818f3e26f099d8
a1388eeacb0b44488677c6adab024d3f96e2e41b3b8a325b7f98848dd33e9c58
74185f248967da80ae7eb665a251579a84936e85681f2bcc429b002fe2bc9647
39c4fbeb234f5bd113344696d4ddbfd0cd3007a9266640d021e4ff9adabcee3b
7ac01a2513900f2f6b1fc682298da80c4beaa3f6ccd8a222a609c9ec89d695dd
98b624c79bf5552446c9e0241b89f693c268929187ebac9bc40963b2b850fb3a
935ddcbd92ec61f8b1dd1c3b853fa51ed9c7c1e7b1a04174ab25b86f2dc50e01
1ed1602ea1af7845f3f981bd7953f8640b3b615695617d9f7bd87b1c98515322
531b37cab352ea56ea07f93e299167115743780d7aa79cc4595629fa56832ae3
114eace580ad8009777bcecaaca92ac9af6e232ed821fa34c37894df50d0293c
8356bf86ea562f80b898c97241bb50d9ea52cc16ceb07f3811defaa78916eba8
fc4a4f69de0b12dbd4de3d761feb484fdfdfdfd24dbece53f82cdc792927f570
bcde63f96a75b2cfc6d3bcfef4ed7525aeca0068f6d557bab9a83afb0bffe8e8
4d0786e4a9d4ede81e7b78b9f934733b425bd3a632f09761e862963fa28da141
09d649ce5560881a60f584be1b6490b9d41f58763938c4489a5ab53ca109b022
bbfc17d1da9e176e272cf9f2851805602848558891eb6c92ffb4f95f9bf53b98
b9e80841c620edb2686e9c6acfe5cef329789beed9c326292a44fd92d9ce28c7
cbd17a5f8adc4ae155ed7d306ebca5d0d66f463f3524ba14cc40adb5869b40a6
da59942fac850aa9c538d99fc82e25801bfe2768b5487c18b1755acdce90718f
3cc4943c605fc0416b10f298b7e40b65b46acab50ce70b5331429ddbedc0fd1c
0c2705b5a4225f6ff518d502ef1ae5f0b3e5d74e2474997889ec8078223c7cec
473ab84d50d08338bc6d850c6bfa91b45deb53936dd0db67e316796cfbd46754
90e2b3ba11baec3e4962b209b5792fc229359e507ddb0891f6deacab1192c3df
df37c03814de75d32cdf22df70a65a593c5771e1e6f81a39536a9a0799c47e78
0abf484ee8b0b1aae29704169e646da53e47fd568b236ac10e0814bcb3ed7381
c56457de94f8a586da53521a0c5b3f2f27fbb953e73e889fbcb37b67658cc89e
e3671346f0893307424aaf9f2537a00e6654c0963074cdcdc2d0e6aaa9a1302b
77eb7784743dd59d18d2911e5d3aaf87d78c084798654118c4caa6ea42874942
670fd133e0975ca5d463eda1bdcd99ccb7c72e0b2132bc0941e5fe210b87e5af
43886b673ad0e42b69e05d3ae01c390873e4b2fb5d83f2679db8dd71bbf7d48f
48af38d2f68eaf7c22402bb203a38ca23b4f60b74beb8297c7105fa8b9a3ac39
771fc2612cd088d71adaca601de9b5c686ed55fa4181130b712e8913e671c597
064c548d9db042d104a17e15a7b841e4232bbf7e295404017bfaebeac55ce0a4
3ebef98e7a895fd22aea7d9ead05249f10e9e5ebd6463a65d1c42ed612bb544d
52561419815102d187d4b838469eb183617f9fc8a5923880c3a3b58297fc3084
bd355186a8fcbcf829f5d9fb2e926300d5a5b7018504aa8847a72deda0b39b13
79df0228d0168fb2e004b78152a32c1ca9b58bc36778043917abd89cf36d1a9a
http://nhaxequanghuy.com/wp-admin/bf1xuo8j_4gbtn1bk-6/
http://gratitudedesign.com/cgi-bin/xeeyXOxp/
http://remowork.ru/wp-admin/jUckPzosKH/
http://staalshop.eu/wp-includes/biuy6mldo8_epdxwzp447-1/
http://kdengenharia.com.br/apagar/wlfLzYMdT/
Creation Time 2019:05:27 10:29:00 (DOC Based - ENG - 365 Blue Box)
SHA256:
5e6aec923802f5d97c09dcca8f0a95bd3b5c301826622b2271aa077151cac533
59ccac693e5aea666961d1899414a296b959ab3f74df297c0f45d79db076e4e9
98c4a79a4d8120a36af2f74fcb3c735636906ddce8174a43aeb45f5577e1659e
710b38de99354a682dcfe99b226b64d5c67277eecc1ef11b5d848eff25fadb02
d71a68c695606033fc748a677215dac3a29cae8e0b81c9ee19cca957f739205a
4156ffd58e3cb17d1e1c3b983fdda845678c84ea0650d08fe6546ac616dac47f
d59e48fd8426dcd162cb95e71230fecc20df21d231be324ab816ead752215cee
efac2b5ee865abccee7fc6a3b727a35887492be09de9d13f617cc5d538833afd
53725e3d133d91ca229ef082ff88d7e76241559df3e07ce911b394896a472244
82ecda6c1b91e89f906d37a3ac4e3140c0e9fbaaa310ec2581f875ca0bbf31aa
03a11a226a71abc429d23f4f068f8856162a9a9f3c775a9ea1870dee2d3f6351
8e2d9d50fdffe20eff4a4c94e6e92e95ba959c32bc62a6f970d4dea9d27086c7
a8b8304de67af2841b795ba8dc2cc89b460fb928f3f02544b0772e6f1fcec83a
e846dc5e0e751ca7a6cda1f4677360a64a507e84839672e4743262dec88dcc91
1f1c3cd2e4aa3bb60b602a8d7e708e488c0930822f7613f94022d541be099b27
a95afd3e0f6521206710bdbabe08477986e7480c86160dd827dc19608e0ae091
f7a076d70fa9d56974121e53f579c0d4ee39fc2c3df31a5127c261a7b02fb3a6
724de8542c60f5a7bd75d381d927d5388932b7c9dd6abc76e65f619ebefb60ad
b6fb464190b4ecdd104a61edddb0fa2f9e3ae372f8225c7eca366c060ea5e245
a06ae3f997733314fdae133b4ab2382a189c58945fc80458f0f2607d62fdbc1a
942062e30a4a4212bbc5f5cca6307d11b9340f58ae1739e43159867e44adb843
fa951d071c06bc4a8e8a5bf711939d52c14623c11a7e2df9af8220972415fcec
http://royalini.com/cgi-bin/TcyUCFXgNh/
http://consultordeviagens.com/errors/wGIkLEQS/
http://donghomynghe.com/wp-admin/YLLlgzztGH/
http://989coworking.com/staging/QJgccUiXBC/
https://tendailytrends.com/wp-content/kp1mjz4asm_sn7mhfc7b-6/
SHA256s for Epoch 2 Payload EXEs seen on 05/27/19
c8ed35150b59091469ecec975bcaa414fe65eadf7e906315309a94698cd4f092
1904ee1b8741251b25af3b2c8bc670eda5b4487eed2c64ab2dc276f948f1a4fd
3c50d6b0b895ab9a067b5f31acf714f6370940e025e82a224953a1c3fad7eb9f
ed768d0c17eda2523d9f4eb90e6412b993eae5a077a66bc20ca0f62729bd1e54
e3a5eaad665002698c192ff54343222ac5f8a59187894a7e2c90d662ed056bcf
a106c58d48538acb73e82f7f89fe0b0ef4240e0febad282167d836a99cb1c0c4
f72bdb6178b3d0a954f7d1c6b5522400c31261a7e88ed98258c48f9d0889bcba
04e3523352e7bb0cd062c92567ba1a5e007d7f57ddaf05099320dc85e2efe3c5
214452317db4c4030c73abdd481428b807abfa64d576df5d3e5462cb1a21cb34
2675c6854375ed687fba6cde29f4059a2a0cfb317d49e4fe937e237304dd8e9f
a0b68acb34d1230f6bfc593d6bdf77ed63a4fd99cefa99f8b0e922b28d158da0
d9abce9bf4d921eef738f160ef8880392d09170e4ab5ff3d53787ec2085db066
adfd1f299ecdec02859b5e7064c61f844a08c22feaf450bbf219d4bf32d603c5
5ab4f35a8c7a809a02492b43e09ba743f95dea7adaffe76f275399196b5ef196
c466ddea8b0d601bdf9fff32c2654906cb170b24fab7c9b2debe5e28f86d1969
986346074ff5a59460361c05e8caa83ddf80c8eb8dd0643354a4f2fe0dc204e7
50b23e02d7855447fdd6829f209ff41a85eb365141b1d02b4702c7975cb4feb8
0da95462ba08d46d0dde75678478c7a4434308450579e60ad773a0bb6029aa3b
b94a2ff462640049ac63450966baec4b4bb5e42be29d24c0c0c09236d6f734e9
7d23baced33218d2979c532a43bf195a8a7bf62ef61945fc5bfc6761a50b1694
ccc164d0e67519f78f73322a67a8ccaca44dd45cc826d58ef7600654c626b221
a7640a088e6b6ce4f62c23ac5e22d7f58b32df7fe766c3dded7ce1a5e24c7c63
e9978febf15a51f9fda377ae1a2764348aacb3e696a4746180959ea84021a2f0
cf439a06ff7fd49f1a4550dede6b78bd3aa1b086bb8a22c5057b055fbf362085
ed5e9bdcf0fec06ab7751dbcd2f87d921df7a17f5c9bcd67a1813204e6968c41
2166d7ba2b885ac27695f079371d9f6446986671b58623706538f1eb1432639b
83c3c860fa7953141b14253d6a0fcc85e074f01ee87408333c8f63b320129027
f64cd6f64b1d995b9bfbafa23fa422861f57b4d974c8d35b3d5a99598bb90169
be0dec191616c742586cb1b2f9efd2a78b119ed57aa893ccbaa49f471c30385f
7ab6ae41ffecdf52400f7636e7e5bb301f75661ed4436c8c082a478a4d7bb9de
f1120b41be8ff98366450fdbfc98029f95d6ba2a4e4deb4c87de899288946ac3
6b96a053d1c1ad3190e89c56ad586dae97b45d64aae66682a4d09c69c404eb93
9cd5a6c52ba1bdd91584320262e5f37eec957ac44064cff899b52f8892c0f185
5d8217e640c64f046cc2a740e0d24bbdeddba964224bc9964ff5d26790841499
43c8d8d70317847bdee0239f676f381e845fe4d4c38e9d151620501cd7ed08da
cab58ddee254cc5c2b4967c7d4a393a43226978f710e5dc8cc012736751062ae
b769f354ed76304c12179858709d633b7ae0a4356647431d4df3e0a7d3f7024e
1cd8431c2643561ac4ec6367c00184b68e2fd37130c8a2e82dfd381f88ffd4cf
de21dd58687536b8ad0fb67a5d858233c8ea4a88273c31b0b6701ff638d38aeb
5933feb57b13f434b2e2cc0210e64867a0bc58dd2911316f95d0f349d993013b
9c9b1af4641643e30f846ceedfcbeff0a08655b39a9ef1e1df8774cc54954583
Epoch 1 C2s
103.201.150.209:80
104.236.151.95:7080
105.224.171.102:80
109.104.79.48:8080
109.73.52.242:8080
110.93.196.197:80
111.67.12.221:8080
159.203.204.126:8080
159.65.241.220:8080
179.40.105.76:80
181.141.87.122:80
181.143.101.18:8080
181.15.177.100:443
181.15.180.140:80
181.15.243.22:80
181.16.127.226:443
181.164.227.212:80
181.198.67.178:20
181.29.101.13:80
181.36.42.205:443
181.39.134.122:80
185.129.93.140:80
185.86.148.222:8080
185.94.252.27:443
186.138.56.183:443
186.23.146.42:80
186.71.75.2:80
186.86.177.193:80
187.178.9.19:20
187.188.166.192:80
187.242.204.142:80
189.196.140.187:80
190.113.233.4:7080
190.117.206.153:443
190.147.12.71:443
190.246.166.217:80
190.252.229.53:80
190.97.10.198:80
191.97.116.232:443
196.6.112.70:443
200.107.105.16:465
200.28.131.215:443
200.32.61.210:8080
200.57.102.71:8443
200.58.171.51:80
200.80.198.34:80
201.212.24.6:443
201.251.229.37:80
203.25.159.3:8080
205.186.154.130:80
216.98.148.136:4143
217.113.27.158:443
217.199.175.216:8080
217.92.171.167:53
218.161.88.253:8080
219.74.237.49:443
23.254.203.51:8080
23.92.22.225:7080
31.179.135.186:80
37.59.1.74:8080
43.229.62.186:8080
45.32.158.232:7080
45.73.124.235:8080
46.21.105.59:8080
46.249.204.99:8080
5.153.252.228:8080
5.79.119.1:8080
62.192.227.125:80
62.75.143.100:7080
66.209.69.165:443
69.163.33.82:8080
70.44.163.160:80
70.44.163.160:443
70.44.163.160:8080
71.244.60.231:8080
72.47.248.48:8080
79.143.182.254:8080
80.0.106.83:80
81.100.95.22:443
81.143.213.156:7080
81.183.213.36:80
81.213.215.216:50000
85.132.96.242:80
86.18.105.123:443
86.42.166.147:80
86.6.188.121:80
87.246.58.59:80
89.134.144.41:8080
91.205.215.57:7080
91.83.93.124:7080
Epoch 1 - Spam/Stealer C2s
61.92.159.208:8080
104.236.185.25:8080
50.116.63.9:7080
Current Epoch 1 RSA Public Key
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAL9KRKWqcld40xbUZ6hRh+fPNkgJe7K+ 0y1rR0UFqc2SBmnyoR/2Ctd+8MRvU8zri2eNVkVBxCUH1Cthf3AEgRqY2kGva8gJ Wcqls3j7RztZzqFoL+wM9DNnz/OWuiyPAQIDAQAB
Epoch 2 C2s
103.11.83.52:443
104.131.11.150:8080
104.236.99.225:8080
117.218.17.6:990
120.150.236.64:20
136.243.177.26:8080
138.201.140.110:8080
144.139.247.220:80
147.135.210.39:8080
159.65.25.128:8080
162.243.125.212:8080
167.114.210.191:8080
169.239.182.217:8080
174.136.14.100:8080
174.96.5.251:465
175.100.138.82:22
177.242.202.30:8080
177.242.214.30:80
177.246.193.139:20
178.152.78.149:20
178.62.37.188:443
178.63.50.54:8080
178.79.161.166:443
179.32.19.219:22
181.129.30.82:80
182.176.132.213:8090
182.176.94.236:20
183.82.100.135:80
183.82.110.170:53
186.113.19.171:80
186.4.167.166:80
186.4.234.27:443
187.163.180.243:22
187.177.154.167:990
187.189.195.208:8443
187.235.244.9:443
189.209.217.49:80
190.145.67.134:8090
190.25.255.98:443
190.25.255.98:80
190.72.136.214:465
191.92.69.115:80
195.242.117.231:8080
199.19.237.192:80
200.21.90.6:80
200.85.46.122:80
201.199.89.223:8443
201.220.152.101:80
201.238.152.20:465
211.248.17.209:443
211.63.71.72:8080
216.98.148.156:8080
217.13.106.160:7080
222.214.218.136:4143
24.139.205.186:8080
31.172.240.91:8080
39.61.34.254:7080
41.220.119.246:80
45.123.3.54:443
45.33.49.124:443
46.101.142.115:8080
46.105.131.87:80
47.41.213.2:22
5.67.205.99:80
50.31.0.160:8080
50.99.132.7:465
58.9.168.7:443
58.9.168.7:990
59.103.164.174:80
60.48.253.12:20
62.75.187.192:8080
64.13.225.150:8080
66.84.11.168:8080
69.45.19.145:8080
71.244.60.230:8080
76.86.20.103:80
78.186.5.109:443
78.188.7.213:8090
84.241.10.111:53
85.104.59.244:20
87.106.136.232:8080
87.106.139.101:8080
87.230.19.21:8080
91.205.215.66:8080
92.154.101.154:50000
94.76.200.114:8080
95.128.43.213:8080
Epoch 2 - Spam/Stealer C2s
<not updated>
198.58.114.91:4143
213.136.86.219:7080
91.205.215.10:7080
Current Epoch 2 RSA Public Key
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMPLgcO0RQdJg/LTgiku57nH4KcLwHCx S0lbynOUhHhKjTnmENrMA2idUbK6hI0JRZtii9oJSlb3e5NZiCK+Qr/NB2u7ZNRc hG87aibm0ndS9xKDRXcmWwaQkF0PFuOHpwIDAQAB
Credits and Notes Section
WARNING - Some links may have been taken down shortly after I reported them to URLHaus.abuse.ch because they rock and report everything to ISPs as it
is confirmed to be malware. Additionally, this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
https://pastebin.com/u/jroosen
https://paste.cryptolaemus.com
NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
I am providing them for your benefit in case you want to parse them to be sure.
What is Epoch 1 and Epoch 2?
What is Epoch 1 and Epoch 2? (updated 03/07/2019)
I have been tracking Epoch 1 and Epoch 2 since May of 2018. I called them Epoch 1 and Epoch 2 because they followed a different timescale of
payload updates and history. In short, Epoch 1 and 2 are two botnets with distinct C2 infrastructures with separate RSA keys for communications.
Epoch 1 is currently the larger of the two botnets(MAR 2019) and I think it is the main push of Emotet currently. Epoch 1 WAS a smaller more
rapidly changing version of Emotet at one point in the last half of 2018. Now Epoch 2 seems to be the smaller of the two since this time period.
This seems to change back and forth over a 6 month period. Despite having unique unshared C2 infrastructures, these two botnets have been seen
to move bots from one to the other and show similar behaviors seemingly controlled by a single entity/group. E.g. going on breaks at the same
time period.
Here are some observations I have noted since I have been watching these botnets:
- Checking a document download site from Epoch 1 will deliver a document that is different than what is being delivered at the same time on an
Epoch 2 document download site. Specifically, Maldocs on Epoch 1 will have a different document creation times and payload quintets than those
being delivered in maldocs on Epoch 2 at any one time.
- Document hashes change very 10 minutes on both Epochs while distribution/spamming are active.
- Document download and payload URLs tend to become orphaned as templates are changed out and they age. By 72 hours most are no longer updating.
- On Monday's of every week a new set of document download sites and usually templates to accompany them are generated early on
Monday morning/Sunday night.
- Both Epoch's may share a host for binaries or documents but NEVER the same directory. Eg. Epoch 1 may have an EXE in directory host.tld/A and
Epoch 2 may have a document hosted on host.tld/B.
- The RSA keys will change every few months so for C2 communications on each Epoch/Botnet.
- Binaries for Epoch 1 payload sites are different than the binaries for Epoch 2 payload sites.
*- Binaries used to change hashes every 15 minutes to 2 hours but now (3/6/19) are changing every 5 minutes on distro.
- Each binary has a hard coded list of C2 sites unique to the Epoch it was derived from.
- C2s are never shared between Epochs/Botnets.
- Both Epoch 1 and 2 seem to go into "break" periods at the same time for several weeks. During this time binaries are updated every 2-4 hours
via C2 to stay ahead of AV defs.
- Spamming activity seems to cease on each botnet at around 00:00UTC each day. It usually starts back up around 07:00-08:00UTC each day.
- Spamming usually does not occur on weekends and the Emotet team seems to take weekends off.
- The easiest way to tell what botnet a sample is from, is to find the payload and then check the C2s/RSA Key. HINT - CAPE Sandbox makes this
easy now, use it! Thanks to Kevin @CapeSandbox and @pollo290987!
- Changes in behavior are often deployed to one botnet and then to the other as if the first was a test. This has been observed for obfuscation,
spam template, word template, document type and even payload.
If I think of anything else to add or if anyone else has any suggestions, I will add them here.
Community Lists
Credits
(OC from @JRoosen and/or combination work of the following)
Doc DL URLs - @James_inthe_box, @unixronin, @abuse_ch, @JayTHL @dms1899, @avman1995, @pancak3lullz, @pollo290987, @malware_traffic,
@0xtadavie, @Bitterman59, @devnullnoop, @Bauldini, @baberpervez2, @executemalware, @jcarndt, @gorimpthon, @Racco42, @papa_anniekey,
@Jan0fficial, @shotgunner101, @HerbieZimmerman, @Outkast_TI, @ps66uk
C2 info/RSA Keys - @unixronin, @CapeSandbox, @sysopfb, @pollo290987, @MalwareTechBlog, @ps66uk, @JayTHL, @malware_traffic, @0xtadavie,
@devnullnoop, @gorimpthon, @Racco42, @Jan0fficial, @lazyactivist192
Payloads - @bigmacjpg, @decalage2, @James_inthe_box, @MalwareTechBlog, @ps66uk, @dms1899, @avman1995, @unixronin, @pancak3lullz,
@pollo290987, @malware_traffic, @JayTHL, @Bitterman59, @devnullnoop, @executemalware, @Bauldini, @jcarndt, @gorimpthon, @Racco42,
@papa_anniekey, @Jan0fficial, @OguzhanTopgul, @HerbieZimmerman, @lazyactivist192, @TrendMicro
Spam Templates - @0xtadavie, @SaurabhSha15, @devnullnoop, @raashidbhatt
Special thanks to @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and
helping out with this!
Very special thanks to @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project https://github.com/decalage2/ViperMonkey ,
@digitalocean, @mploessel, @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch,
@urlscanio, @TrendMicro and @Virustotal for providing services/software no charge to this cause!
Daily Log 05-27-19
No emails for me today :| - late start to distribution, and a new executable naming convention
A big thank you to all those that report #emotet, via Twitter, URLhaus, URLscan and all the sandboxes
General News:
https://twitter.com/decalage2/status/1132900273175891968
REVIEW:
If you didn't already see it, there is a very simple way to defang these ZIP/JS attachments or links. Just change the Explorer association
to open .JS files via Notepad.exe. You can follow my instruction here in this Any.Run:
https://app.any.run/tasks/81503633-0f95-48d4-bd80-c83ec5c2b763
or you can do this via GPO. Here is a nice writeup on this process: https://montour.co/2016/09/group-policy-force-js-files/
I recommend you do this because .JS malware is very 2016 or even earlier and most users never need to run .JS or .JSE for that matter.
You can likely throw other extensions into the same configuration and @JayTHL had a nice thread discussing this here:
https://twitter.com/JayTHL/status/1126204098670411779
Email Template Report:
Generic templates on the most part, the usual body text listed below.
Review:
What we know about the threaded templates/reply chain:(changes are marked with *)
- Emails are sourced from once (or still) compromised users all over the world.
*- Emotet injects a reply into a real email conversation thread between the compromised party and another party that replied
to the compromised party on or before Nov 2018 until at least March 2019. (may be up to present) Also have seen emails going
back as far as June 2018.
- Now on E1 and E2.
- Now seeing German based templates that are essentially the same thing but in German.
- The injected reply is usually prefaced with the following:
"Attached is your confidential docs."
"Attached please find the wire transfer form."
"Thank you for your help. Please see the attached."
"Load instructions attached"
"A printer friendly attachment is now included with each email."
"Click on the attachment to open or save the printer friendly version of your report."
- Both attached and link based delivery of the maldocs/ZIP/JS have been observed.
- Attachments seem to be in the filename format of *_Month_DD_YYYY.doc/js so far.
- The link is customized for the display text of the link to show the real domain of the spoofed organization.
- These templates are pretty limited in run and not very numerous.
Link Regex Report:
Regex directory patterns
E1
*https?:\/\/.+?\/(biz|com|net|sec|sec_zone|secure_zone|seg|US|ver)\/([DdeEgGnNsSuU_]{2,6})\/(accounts|anyone|logged|myacc|sign)
https?:\/\/.+?\/([DdeEnNsSuU_]{2,5})\/(ACH|Attachments|Clients|Clients_information|Clients_Messages|Clients_transactions|Details|Documents|Information|Messages|Payments|Transactions|Transactions-details|Transaction_details)\/([0-9\-_]){5,7}\/
https?:\/\/.+?\/([A-Za-z0-9]{4,5})-([A-Za-z0-9]{14,16})_([A-Za-z0-9]{8,9})-([A-Za-z0-9]{2,3})\/
https?:\/\/.+?\/(trust(ed)?|sec|verif|public|secure|open|verif_seg)\.([DdEeGgNn]{2,3})?\.?(logged|signed|accounts|myacc|sign|anyone|myaccount|accs)\.(resourses|docs?|open_res|send|office|rep|public|sent)\.?(net|com|sec|biz)?\/
E2
https?:\/\/.+?\/([A-Za-z0-9]{4,30})_([a-z0-9]{5,10})-([0-9]{8,15})\/
*https?:\/\/.+?\/(administrator|assets|blogs|cache|cgi-bin|css|DANE|Dane|demo|direc|Document|DOC|Dok|DOK|esp|FILE|homepage|images|INC|Inf|INF|js|LLC|lm|paclm|Pages|parts_service|phpmyadmin|Plik|PLIK|public|Scan|sites|test|themes|uploads|wordpress|WP2|wp-admin|wp-content|wp-includes)\/([A-Za-z0-9]{7,32})\/(\"|\n)
https?:\/\/.+?\/([a-z0-9]{4,7})-([a-z0-9]{5,7})-([a-z0-9]{4,7})\/
NOTE: If you get a lot of false positives, try adding (\"|\n) at the end of some of these after the last \/
These Regex patterns are to be used experimentally and at your own risk but they caught 95%+ of link malspam.
Payloads Report:
Late start, ~10:30
E1 - attachment only, no URLs found; observed DOC hashes (12) drawn from anyrun and hybridanalysis. Additional French DOC names in afternoon.
E2 - 167 URLs in two EXE sets, the final set may be attachment only. Additional German DOC names in morning.
There is a new EXE naming convention. Possible parts:
ideu,free,capture,tenant,watson,peekat,english,asptlb,shim,netserv,ait,camera,alaska,begin,magnify,cpp,dmrc,intl,enable,vcr,violet,reviews,number,loopa,tcg,ratings,resize,sitka,prime,namesof,dso,summary,routing,alabama,loan,manual,chapp,cvt,wfd,proc,mdmmct,iptb,unmute,gdi,draw,wnv,fnc,show,contact,spc,wlansvc,classic,msra,sharp,align,diff,lev,dist,ias,edit,black,jpn,svcguid,cntl
RSA keys unchanged
New module with as yet unknown functionality observed.
C2 Report:
C2 from E1 EXE gave 90 unique combos in total. - recorded above
C2 from E2 EXE gave 86 unique combos in total. - recorded above
Closing:
<>
TT
Sandbox 05/27/19
(all with fakenet and MITM unless spam/secondary infection)
E1
https://app.any.run/tasks/fe5706c1-37f3-40a0-85e7-687f0cb3e560
E2 https://app.any.run/tasks/4971e1b6-b33a-4674-88ea-e285d614d558