Daily Emotet IoCs and Notes for 09/16/19

Emotet Malware Document links/IOCs for 09/16/19 as of 09/17/19 02:30 EDT

Notes and Credits at the bottom Follow us on twitter @cryptolaemus1 for more updates.


All attachments as far as we have seen.


http://86passion.vn/wp-content/uploads/LLC/ztao4snc2zn3icihkub9cssxmmgg_s92vz8fi-83400702426/
http://avaagriculture.com/wp-content/uploads/esp/zksfry69cywyeva869_fcvujc2z6-68884639859/
http://aydin-transfer.biz.tr/wp-admin/css/Scan/wo8urpwi8ilbpu3huezp523x4ay_xb0bjymh-9572246251/
http://bestrip.telkomuniversity.ac.id/wp-admin/lm/duq8g5ilpabc_8tarvuenq-044872730/
http://blog.batalk.fun/wp-includes/20ysu87bbf47731u3fekfgdbwd3_dd3h1f-65441431/
http://blog.kobisi.com/wp-includes/Pages/lwhvRUfXazsPIfrpEZxSvMtgM/
http://canvas.printageous.com/wp-content/076078269892824/qUNEclMstuy/
http://chinapacific.co.nz/wp-includes/65300760429/pePzhQzJwkSF/
http://chuquanla.com/wp-admin/yj0m83mwqum88_bawcxx-778059512/
http://datasoft-sa.com/wp-content/kcdxzz1rd02o6sj6y_9xiho-41106884826/
http://ddhf.in/wp-content/Document/LLrzUpnvZIcVobRGHpQCXM/
http://duckiesplumbing.com.au/wp-snapshots/DOC/SJhxgbYSjf/
http://emmabeaulieu.com/networka/5s1io75wmblxuwrrw1z3q_797vc1lc3-93490304/
http://globaltimesnigerianewsmag.com/wp-content/sites/vMZrAukwUKOexUrXnQxMctasohyUnM/
http://hotline2heaven.com/cgi-bin/462810910567652/EyXtMIgqrfeGYVvwKGWKXWppkOi/
http://i-conglomerates.com/8lfx0jn/FILE/SbdnUMybkqDczUjFVe/
http://iewa.sk/wp-admin/parts_service/IlqQtXxoNtkdkiojakcdH/
http://iib123.com/wp-content/IdeltfyWjNcYSVqkuAiE/
http://jumpman.com.tw/cgi-bin/INC/bl9ggmp9_5yguluyr6a-1949529841857/
http://kisharzoni.ir/ticket_pdf/esp/jxxp1ai5ump_4jl99a-12961913/
http://levarudevich.ru/wp-includes/esp/MPuqJHEqnnZpfY/
http://maxtraderpro.com/wp-admin/sites/qzjlpDcXeBRLfWRuOwST/
http://mumbaifever.com/wp-admin/amjdsy0fo_i199e9zb-31499910739/
http://osim-heshbon.co.il/wp-content/INC/jvomtsl6xgzmv3ujubnv6an_l5yypu-6443077366234/
http://parsafanco.com/wp-includes/LLC/JquDHKGxHWdCOZyCDnOFbqV/
http://profexsystem.com/dist/3WIR6TGGZDN5VDE/FkCKYFtVMfhUpViQapyJifvkVBKCWR/
http://purplekushop.com/wp-admin/KZPMDF7RS4E68/v9ntwdgorregage3wwrm66v7c_i1yqqgs-797171856/
http://rpaconsultores.cl/filtromet/Pages/o43fphlp82_xrvfhr3-552085630/
http://safarnavade.ir/wp-admin/LLC/WurQUKCLhrrBzzndHpdtzovqyzoJ/
http://sotelo.cl/test/lm/LXblYSqZmDoCOqTjvN/
http://starbolt.eu/wp-includes/Document/jsVezfvZvLhxveUKPnucTLcElhifk/
http://sunchipaint.com.vn/wp-admin/Document/dawb84xl_piuu2as-9919296896/
http://tootco.ir/wp-admin/esp/wh9ij8dj_gyyl825m-12393197934992/
http://unitypestcontrolandservices.com/wp-admin/175m68h1y33pjjgz87_8wme2ufyby-569836327/
http://vaner.com.sg/oV4c/DOC/TnNeCqcAazSDRechLcktfNwEts/
http://www.alertaempresarial.com.br/wp-content/INC/njbgFuxPaoCihCLZuwKHthzVEwidug/
http://www.gongdu.xin/wp-content/sites/vxjSizeWJoGWVZTLYRXkACmh/
http://www.greenedus.com/wp-admin/INC/xt8k0pmlpur1m6et0k1rxu2uhpvq_kyod1h3ilt-856462386/
http://www.haosanwang.com.tw/wp-admin/parts_service/WnrlrAIEtMJoStdWcCGmuCAwr/
http://www.kattegattcenter.se/izkji/IDR3WB0J2/zAgvHSTXdjtdrZCWotktLZmwTaeJ/
http://www.mobiextend.com/New_website/Scan/yfquir5sn1saa4_cbgkyi7q-659756898154868/
http://www.mohsinsaeedulhaq.com/wp-admin/LLC/bttzsqzx0nt9junnyco5_hf4vzf94-70374427/
http://www.navenpsicologosgetafe.es/rky/Document/UYLLUuvgnqJoWnaaNFyOIgOowzfoF/
http://xn--9y2b19kb1eutan3r1zggxaw2wfxc.net/wp-includes/LLC/tn45s6fnyxcm2pv5d_n900n9khyr-70129461110/
https://86passion.vn/wp-content/uploads/LLC/ztao4snc2zn3icihkub9cssxmmgg_s92vz8fi-83400702426/
https://aardathdelivery.co.zw/ads1/gt3rbqjxpwkevbfw_id5xj3e-03065552031613/
https://aboyehia.com/cyj/662206737370605/jwt10s6ekq0tk0d9n7_fsyyu-9448666289950/
https://agungwaluyaproperty.com/wp-admin/LLC/kzOjkitXtNwatPvqyTMWdLFqOkDgK/
https://aisect.org/wp-content/PKclPmdnZOe/
https://albintosworld.com/wp-content/parts_service/KXZpusOBBOyKSvlug/
https://ametiseclinic.com/wp-admin/esp/IVSLxUtAVwFJPabFSwGayMAtvWhj/
https://animex.global/econ/FILE/fratCWAAAtdeoqSmLnaHrpdvlG/
https://armstrongfieldconsulting.com/sitemaps/parts_service/bZYnvonXCjYoVvchhlkHg/
https://ausfinex.com/wp-content/uploads/Document/tsGhqxxzvJcgcnsrBlbZkXxVNz/
https://aydin-transfer.biz.tr/wp-admin/css/Scan/wo8urpwi8ilbpu3huezp523x4ay_xb0bjymh-9572246251/
https://azure-team.com/wp-admin/Scan/jg3cb56figl4f0gd4oplmbtgm_b3a1bh-87659379/
https://blnautoclub.ro/wp-admin/LLC/yPHOKncKuBeunjIjOOqSFnOYv/
https://blog.batalk.fun/wp-includes/20ysu87bbf47731u3fekfgdbwd3_dd3h1f-65441431/
https://blog.haseemajaz.com/wp-includes/Scan/47q87hzfz9qho7ugop314rtmicja3f_el6i1f1yh-6722041024/
https://blog.kobisi.com/wp-includes/Pages/lwhvRUfXazsPIfrpEZxSvMtgM/
https://blog.lasoy.net/wp-admin/5475486806/CZvGOwXgtYb/
https://careervsjob.com/wp-content/Document/ybQdCEBsqLJaLcZjqMbWVpeeY/
https://datvensaigon.com/wp-content/themes/esp/v7p8sbu89r2auspkprmysrlqlgd_sque80cmlp-15301913/
https://dewibebaris.com/wp-includes/20896775313534041/6ah5jttgq71_resrzl-08883176/
https://dialogchelm.pl/old/QqvDHgKeSjoGqclsVYtmUxk/
https://digsneil.info/wp-admin/Document/0hcv3rltmf8nzlh0wrdkd_x686owre5-128754920/
https://efobf.net/efo/esp/ezspsgm55ddqjjwshecgesia2cjtf7_69qlkskfc-200989408/
https://emranweb.net/maruf/paclm/y09uvotnanny4_u88r3drsz-96422594/
https://enticapilates.co.uk/cgi-bin/lm/WdMaTHzZfixNcwJWn/
https://etechnepal.com/wp-includes/gusDmcauLNxzTeiI/
https://ethecal.com/wp-admin/sites/pyl6j5aah_eottjcf-539345791934398/
https://examsnap.io/wp-includes/699852196184872/zkgss3j746ghw_58xewllq-50487111/
https://farnamh.ir/wp-content/JUUUF51BLHT4H3/sqdfTjvPXtpUe/
https://floydology.online/wp-includes/DlgwHZaxdEoJkVfJukGkOTc/
https://gardenandmore.co.il/wp-includes/parts_service/mZOyXDsTCQP/
https://globaltimesnigerianewsmag.com/wp-content/sites/vMZrAukwUKOexUrXnQxMctasohyUnM/
https://hanifbaba.com/wp-admin/paclm/nfs60uw2moylv2n_h16zet-801019008940/
https://hierba-buena.com/wp-includes/lm/jcqkURzGltFWRKWnveaFILgebvRF/
https://hippbeta.000webhostapp.com/wp-includes/2a3o32vc_0vgiahna-2842418253/
https://hisnherunisexsalon.co.in/wp-content/g4030ceag5vn54d_heguyxhq-030808811372/
https://icbchins.com/wp-admin/includes/LLC/glGTrJnMdhatAT/
https://jackalopesoftware.com/iodlm/I5JSH9TB2HA/grkhBmpgQh/
https://joshgeneralremodeling.us/educarni.com/72izopqq_db5m8g-4856039954/
https://kolaysigorta.co/wp-admin/INC/xUmVHDVYHubXjjzLQNvlnjvnqFknf/
https://kursusdigitalmarketingmalang.com/wp-admin/esp/UTrSPWYHBOHTcOQwIo/
https://life-consulting.org/wp-includes/parts_service/jLJcFQtSkyLQUazganvdML/
https://lmntriximinds.000webhostapp.com/wp-admin/Scan/ruqLWZfgtWRwF/
https://modireit.com/wp-admin/FILE/fgv1tkgeimpm72ympy_34t0uv14-0264366940/
https://ortambu.net/wp-admin/Pages/BiWZLDNsknPMHNoJ/
https://ostriwin.com/structure_66/INC/btvz96m1ty5wlzjxa86ucvy99_fdzgywo9-7728438180/
https://perfume-dubai.com/cgi-bin/73UXB847YV4/9qoo1k26x179h4wcf2vlwgohnfk8i_9tqsmhu5-78072491699396/
https://pklgroup.pl/meta/uTMPayYYZdGnjoSOVDrSHtBdtKMEUi/
https://profexsystem.com/dist/3WIR6TGGZDN5VDE/FkCKYFtVMfhUpViQapyJifvkVBKCWR/
https://purnamahotel.id/ykpurnama.co.id/a7rmfvcwni_g5070l-679329386402152/
https://richhouse.com.vn/wp-admin/Document/s1ymuoqg0pp29qdpsocrmz6_7i73obj84b-0263170068612/
https://sachoob.com/wp-snapshots/INC/bfCYCyWu/
https://sazehatv.com/wp-content/FILE/59fj6jgc1po68asuh82_ybmekenm7-32992556/
https://schultecattlequip.com/cgi-bin/Document/QZhIEfqBdvRpYeiUzja/
https://shu.cneee.net/shufastudio/Scan/vv8xo9h9n2dp5af62kx_xdoeip5n-07937890306369/
https://solivagantfoodie.com/wp-content/sites/b9oksxovgi3ezlssy6zmi_nlih9-9400724385/
https://souzaeletronicos.com.br/wordpress/paclm/ouoMXGfiTOX/
https://sp2secenter.com/jangkurang.pajak/sites/vYFxZvuldxCyVpovARmxGWI/
https://standstrongbuilders.co.nz/wp-includes/LLC/m97dxxr0vkk22dkleal_w2cry8b03-234555588746/
https://starbolt.eu/wp-includes/Document/jsVezfvZvLhxveUKPnucTLcElhifk/
https://sunnypalour.com/wp-admin/parts_service/kpu2zkks9qj0g2k52_47cq8zyvf-14443767084954/
https://techcitybd.xyz/wp-admin/TIIP4483PXYAT0/8svcv2d8v1_ryyehqeg-9659195498/
https://thousandideaz.com/wp-admin/IPRQbXMJRUxtMXLFDiUpTMYId/
https://vip.muabannhanh.com/wp-admin/FILE/mkg7rmymjr_ibrls0nrj-411618777016/
https://wallsorts.co.nz/wallpaper/lm/ausEsHOLkVlcm/
https://webuycellular-radio-rf-testers.com/wp-admin/FILE/nbjjiNZCJnfE/
https://whatansu.lt/wp-admin/parts_service/RNQvuAxOM/
https://whichwaymind.com/wp-content/esp/rjSHEqlQMYwysrq/
https://www.dunlopillo.com.vn/wp-content/plugins/advanced-custom-fields-pro/sites/pxf2qxgnujru6o3tf3jmw_93k2o7vf-15567658281/
https://www.dunlopillo.com.vn/wp-content/plugins/advanced-custom-fields-pro/sites/pxf2qxgnujru6o3tf3jmw_93k2o7vf-155676582816/
https://www.entrevisionarysolutions.com/wp-content/Document/0rufhbbzfmfdmo_o8p8c9q7he-09889590497/
https://www.mobiextend.com/New_website/Scan/yfquir5sn1saa4_cbgkyi7q-659756898154868/
https://www.studiovista.fr/pedidos/XOKuNypDaKDts/
https://www.vpdv.cn/wp-content/9224e64k_wm9i6l-06355466529/
https://yardcommunity.org/js/Scan/RYiICkTSim/


Epoch 1 Payloads by Document SHA256 - All Times UTC #### (Newest on top)


Creation Time	2019-09-16 19:07:00	(Docx based with embedded JSE  - Accept the license agreement)
SHA256:
b9ab1fadc7265cd5a8712bf6ff6c392059458f5fd2085a9754c4fb4412fb7e3c

https://indieconnectads.com/gcx5ln/5f8704/
https://ragulars.com/CmJb/ziv4/
http://ilyalisi.com/wp-admin/zdq0487/
http://limkon.com/wp-admin/lr41v586/
http://www.behlenjoiner.com/y3sb/e71h7936/

Creation Time	2019-09-16 12:22:00	(Docx based - Accept the license agreement)
SHA256:
a6ae9564e3bf0d0031646ac8fa869d564303d97afe77fbf52848587219bdbdb9

https://deepikarai.com/js/4bzs6/
https://yeuquynhnhai.com/upload/41830/
https://atnimanvilla.com/wp-content/073735/
https://womenempowermentpakistan.com/wp-admin/paba5q52/
http://blockchainjoblist.com/wp-admin/014080/

Creation Time	2019-09-16 06:40:00	(Docx based - Accept the license agreement)
SHA256:
0210051eff91fe9393d24f213da566d0b06b8ea7796413b5fd27e75125967850

https://lecairtravels.com/wp-admin/bXwjcdeg/
http://think1.com/wp-content/upgrade/2na4-4q5g-751619964/
http://broadpeakdefense.com/fbsgf/McZcBMeM/
https://www.biyunhui.com/fj/wbTKndf/
http://nautcoins.com/wp-includes/AcZxFxQ/

SHA256s for Epoch 1 Payload EXEs seen on 09/16/19 #### (Newest on top)


1e079b99b841a9d317953b09d0af041105d4b0ce5c72f0727fb0e098393ad35d
a474d2fe5a8b7dd8b3324281cd28b69b29f75643d3865f6f71d9ed0f865f2bbf
38c26e087b0130a5e4441328e754559dcbb09184c2fd482e722811b150fceab2
3e6760a33230b6788baf453889b22e26286ada98195acc2b1c5cfe9ac889a2e2
640e8be09947a358533c55d9755903258ba79f06389bc9fa118175e7ec8859b4
a8a1b2fa8e111ef0f40b31cb4915b08b6e49cb391cd61bf181e14f356ded0211
f5af8586f0289163951adaaf7eb9726b82b05daa3bb0cc2c0ba5970f6119c77a
89eaed3846b3ddfd6ff2920ce2391d2c4746de00cf222b561f92f2178a36b3c8
478cb4fff301d87b03c2c59863293d33d55bc84fa277f0e69783fee32a73c73d
a627ebfb3a4289278295ded2a547f44253a5f681580a424df5f68eb5d20c51bb
45220f34796220c461e5aff0d9c716b55a1b5fcf55000f52cb2b51107c5d33c6
faee2f8ebce625d307138679192abf6164780d9ba6b963c1b118dc63dd900868
0324ee7eec52f53b458a898709cfd193cbef7415ab343f5f9c3facb4fe2199d9
2471997442d926052454ad1b7887a0b0a540bee30c3878abe1dbb7c1aa89e309
5f0483d2c16abda58d4e52c8b21281db8fc0b484763963276f2d626a80e8483a
a18faba8062db5a854d11d210d3e0c3b5653f11c2f588e1b0d5cf9a2c332ef42
54892cc44a27d88e997567288cd6fdbcaae411a35d702fe9246144c094cee123
71e94410317b7ab10d76dfceb0c2aec3bb55181ec34ed29af52d7acf823da9ee
20d1c6c90b5da456f3c1c1e337547737debccaad99f0acc90bc7348bf8694695
f2ed1fe5dc8567ed89c0678d9009fdd75d0d057ca11fbce95323ecc8891b8358
2f7b6b995013e939d1eea0e7418e040443ac41cd20fa9b6ab9f070a60bf607ee
2c493042bddeb1a6beb82a54f58d34b3a57d3ce38dc5fdcf6fc31be6e1edf831
d2cc30dd44afc072119a8e02537243568438645328c53ef40ed9acc8149d366a
242bffe38ddc84329e5af38b7efbb7277170a5cefb0718e39adb5dea70542727
a551621db27286874dd1b37ff6e577e6b39bf282785655d17a6eceaed18eb17b
0ff7216a3c5f542e89331527a91c30236b11673e66c3ec77da401f07322e61d9
20d941f8b45061ce58ea0ae446714f44696500ae1580d03924ad45c43e4ed5a3
78e5dc3d953e9d6e28602354716fd686f0dcbf9fc536620eb75e695d704e9abd
0ab07c5024ec43b453427d2bf94b387ced20d8ad70b85c07abad9ea4fc1cb638
fafe4e019ddf6096cac44437efb9c6f78007fa17982ee372f226a9c3b1986cdb
6b678eb07f52967b56280d6063056acfbb184ca87e63e7509ac6affc171d3af1
bb8f1c8da1d8700e6999b975c1e5762d0691c90b20d23594a3ab0932bde2fa26
f6398efa2e15f30378b2dc9bbd7a15e8005e3bfe159e7765d7d857ba9f4ee97f
431bdcdd2b4376e85fb2d4d7b3d016778fa75641dfcff301c485f2fd413df38b
13abc79252ed38c78db131f3a8bc86ffa78823987718bb3fb7ca01553d3a56b1
81ad3a23ba23187bfc93744d95f47d914b7aefabe2f3d42bf31442ffacee4eaf
b61c1795a5d3766d381820eaebac1d71e85e9aa121e7443c6c1017109753607a
4948cdd2c53fbd57e937e6609311c93a8dc2145cf9bced95c5bf254b3d4b0fda
eec423c93dc0f2a8dad9c99330213f82869756857e62a5f9db8c37011fa289fd
438c99279aa6488d594ec65e1060feece0788f23d7a727fa4feb4cbfb7a3ef21
945dbeca8cf79510eed7220c73e1a909a3a2a346c6f12df349f81446aad1a9d6
49d2bbc69cf1c1e86168702b2a69ce401ca2fa8c96ec529dc7a21928aca62b86
398e43449985ab123d580ac2afec240891de5bb3cc2d14e68a8f786fd27560f6
6fe54465978b3e6ee0e10bc4d213688dd48d3f1329909df0d5533075086dc1f7
0d348e7c83632eb5da248d853128e6a7e982851ce0a2bfc48e7e209c0756e9fd
4343a4459487368dfe39c202d97d565bda50d10dc44aec724a911638655b902b
bff2ce303c649b0359abe9058310da363f2f02eb41f4d949a45d1f1892bdb7ac
de9ba0736015447b14b7efc2cbdce83a4a11cce9f429e1a0b40b5379e1246980
0fb60a4b52a28123d2a2338cb9897dabb0ded9539b16237fbb78c4e5509decbc
31f248f2b2b7b7f65354ddeeeb5d5e45757e36a5ccb6c2d4638f277d1387d317
ecd6bdd2c61d1b24116353b0e2bc5c78581c089ca0b316738b3c68fda1d9d224
f622c8a8adb38b72c0c59486210c20bfd4b242571db35800179be99fb312ace4
654781784a562d9fb703ceaf704c400be225a4396510e05ac1a8e27619c07dbd
1130846fd4fb6d92851b7ccfddb3d8f86015e99c300856b35490cf0b9072915c	
d9be0ae29102479d2b77c0a803cb595d5edd044cb0e80d52018dbe3422b27e51	
87a1c670f0ab51d2cfa08c2a4d05c447019dbcdbd4f77ae907a71a91a5d80652	
9b689d1286e6be2b573d78871d9b37f239d4e6521086826b19f9c2e4e3abe7db	
c8763b3e9c7e06c240500c0bb927662493a2a27ad4a307120df68f0950504ee2	
af8b29c3ca17d0653f999c33de0fd28a5dfafeadd4119cfe9410ed62f9179f5e	
432d9eb6bb0e785e5b72c0975362838cdf8a54bbc9ff9d81c2bffd3d1e4b9a8d	
e11dbdacb2e7fdd36ec564dd3d44ce93b8597b78c6afac12869af37565a4a296	
30783ef5751b6a9d9b9e1559f3ae7aa3b4dfb9b736f82bf9e8cb5e758ffbcd68	
68133579b1b006c89fab93974b19cb46e861554aab58f7dc1629e083691df23f

Epoch 2 Payloads by Document SHA256 - All Times UTC #### (Newest on top)

Creation Time	2019-09-16 20:53:00	(Docx based - Accept the license agreement)
SHA256:
49b8615fca75aff51f054b733f44a74a0c3ee40d0564c6e7d5356ce6c431d929
f212fd8cae09d7d8755597613304656434fb089059b3b856279c277c6494e53b
f3ba9ea59ed11c6a6500fd5f7e8224c5ee0123336499ec373594afbcf8b88361
9208f5a465755432341af2223291d537935d5da08871810eb7fc7928056d376d
e68c5ef13e002a79cf06f76beb6c27efb33a443d876b834209c2f774503eeef4
882b590f4486ebff6c4cb739ad5b308652325f21edc3f9f4df1dea1eaad0cd47
b2ce58a359b7a16f39446a36b96cf62c48e3ca5734bbd7eac4adaf2b49f1f8c3
df60a6a2d190e2e90ad48dda8aebe5428d947e98c54d1a29be3b1df147e74595
99d62f43d6e97090c54a99fac428822fe5de8b4b494ac4345a209fc94b1adaed
82d102fb0ccb67c63a67c4d8c1661cedd5c24f2619868a4104edeb2c5cdc8a6f
357896007f188c177c3af09f6e56baab8246879835b0bf75f1752fdf83a4e351
a83583bf334c40e3d62c3c376c8e256d808a98f9f18797e1a56ee2829788d402
cee1c2a9fd9249d5d734ef798461b1c6c7a368f8f5609a4e280e57b2db7d6ad1
88a82c6630c6093c24752d60853b1b601979daf9942766b5049ff64367b8a2a7
da44e4b5890c62829e92785bd3c3a10b1c91057e54b38e62935fcf9e8555a887
0ea4726e6727c098e8b8bbdc8e9659a12e464b72e04de1b24d72703d801ac8bd
efc73cf4395a0212f102327c1703c97ec85d9c93b3f60a975a6a32392b1acc1d
b35a9444710e40296d05d3bffd39a941386d127af810ac0b46f912cc73938d29
a04d3cd0010278b59d9a6ddcdf9df8d3b5f1268eb8d309c9de1632dd79ce15fc
5edef436bd9b3728d8934aaa2df8abce57fbfa30871fa14f06a96ef3d7fce912
583f393a3e0b513ea8df9b056742f7d1b9c7b3c7f892ff27ee9216e36ebb5eeb
8409559e25293df4ff03274c856dd1d886d6aa1be56885f21a68d909b70ed1ae
a7e70feadda920a55034eeb9c4015240217d32b2b9974ec519619642ff993cc3
ac7e8308e8cc80a12162a7f0d761a9fec7d00c30a4b2980b49f4ad9c09065410
d5f5e9c4c99d2ff600a39c5dda012e8bd2ebf23f90ecb63a9009b9a6a2054e80
4eaa4246b40fd21ba0c186a6af6c595b265cea1eba1c83de5fb77105eac972a9
2bc5012f8a60c3f7d6a1e74846cddc3e00f7c29517793264ff8672207bcb875f
e54c99ac541b3ba0f22703743c9122158465a15e0d8cca06cec2a4c3ac01650a
af52e5317604c8287cc0bd12e5e1d43926f24b440f33c3e1dbd354e7e22c25fe
9bfaca2be5c0ab8d4a98bc48889c192d185a34a1f379cb6307673937a538ecae


https://www.dentalsearchsolutions.com/wp-admin/AjCJSljig/
https://keqiang.pro/loading/bod5dh_xwsv6or-811/
https://playasrivieramaya.com/wp-admin/VVGGRvJF/
http://alldc.pw/wp-includes/widgets/cpw5gj9g_ikzzx3-381928/
http://dywanypers.pl/wp-admin/RUYqcQcEy/

Creation Time	2019-09-16 19:13:00	(Docx based with embedded JSE - Accept the license agreement)
SHA256:
0c2172dd86ad617458a7513d705af29491ad815d25a6d4a57543cd5bbd6149ef
7411d863a8bf7f08ba72a1ca06e835521fec61abb4fcc672dd5688318457c2c0
ea39c7e87fb1124d5d12d30133d62646d3838a105d77384b25ce4b7eaaa29032
29a74a1e688a8e0acbffa7ea960f180e872246dbee7f0a593d945fdb99ee1196
2ff795e1bdbf1c5c2b56ccda735952dc4327125314980568edf660c2d0126063
9f44a6ce7de9342d75bda3569f4d3766bb87b9767c467c92b14e52d9cd3a3a5e
42b8ef299f69497c6712925024970776404fd68f30212b7778a415249577180a
c4146ff2897ddc0f82c1e7a5380e9be119752e38bac1c4a1976fd901c52cd6ee
fb25f35c54831b3641c50c760eb94ec57481d8c8b1da98dd05ba97080d54ee6a
41b21aeb88b73a4b73227434468d4694cb3845d780dfef755b81bb996928b4ba
0721cd7cbca918468d71c600e3f44bbee37afdd31b5288dd645191a06aef3c4b
2e15d5b0e5c2eb7a69817efe22bca3d755dd40f1b47cb4982546a65bf7c8f0f5

http://rockstareats.com/wp-content/themes/NUOAajdJ/
https://www.inwil.com/wp-content/oyFhKHoe/
https://abidjanboutik.com/wp-snapshots/fDxfQEaUw/
https://vemalandsafaris.com/wp-admin/ghizsza2q_3esemg243-375091893/
http://dateandoando.com/wp-includes/y0mcdp2zyq_lx14j2wh2-0551284557/


Creation Time	2019-09-16 12:15:00 (Docx based - Accept the license agreement)
SHA256:

81983d78a24e7efa772165337ddc69e05cea6fe9c38ce9cb325b3533062de2e0
29bdfcc3199174787b6d06c2644014e0eabbea0c26271f520c409d9d91010681
b97742b1aac24f43fa818416372e4644c392004f9c17c169dd38ece1ebe54001
1820eb75f1e8c98cf4fe4d0612eab746790d2402ad098fe604b95f728f41c2dc
2c0d6177b01d70ca758f89c89b98cb5ccfbdfbbb1e22f10d451163cc5c009857
2e17b8c2ccded6c1ccfb9c2a052d7f8eb72a6a327814a6e61c77953123c122a4
14f1b2c599348d9fa905d8a4a43a2bcfe761b7997e99d43d8456c862a26fe34c
39594774c62d8a5580ca64ff6d78fbf002e39fae5c5c6fa3768256173a8db9f9
f0a3d087f392d8a32c1d6e60d3f8a349c9df597f604c2ac03358be9472f91916
7e3b7bc7797f8d8821b3376d04551d8f778b8eef12b8e418a125676931dd7c5b
89256a55caf6f01694daea9019ffd546642d9f2ba6ead3cd29334a9da97dd845
50a86111e60baf9785296b5a28dee4ae379194bf4fa8e7ff627a9329eee973e1
95574f62bd6f4556aca6150efb52d894e206a85c171c5604edb991bb99d18c0c
b48fcf1606ec3228318d8d37306fc13bc0168942c4b177b74abdb741e53d2db0
4aef49903fa17d6a883026a6cdd366a780aec3416464d942fa62124fa4c88868
9baf3af52a399355169932f9cc30076cc583d8a94eae8aad7cb17238a3bbf2c5
6b2145f69f7d7857226b8616000d8d673d1d77288015980c17e6aa0d2afd4906
4cb36e8f33cb7dd53fcbfe507f63cef8a37da70813158a966ed1cdb6a56d1dea
313fe2531a5d844ef493f917fad432f86530b4855ffcdb2fda04e819440d6584
c23651290d3aa7e7d392ee4e88e00fae6f308c45e8a6d6ea62e99b3bbe407447
dac5f7ef886153933b3267ff4f9dffd028c1a80f0fb251ad9d2cbbeff1250b9c
9b741b23cb0614ecf3b0e0cd1f22441a412410c864ede76d885e8a6986cd7905
d2ee79e70d1406a8846d71bb9debf37f3df0b6d038b32185b0814fc62dfb5510
c9e396f50129e3e84818382eeb9ea036e03a9688b06a672fa44e206a5d3c5658
a3df01c5c8779cd8467510502189197d0a5f61d38c8335d01ea01761d0f0aaca
fbd4b41f19010363789f4af9c3ad1b5f0b11dade28fb02b60b974cd810120862
bde1f6dc02e4451960d40db382aebfa8912f0113d1e07c790e0567e828c3a97e
c3ced7ba13657aa95afc7edc3b1ec78e01adda831810a7d7a239207acdee4c6f

https://tabxolabs.com/tmp/7832x74_brffu77vf-50/
https://www.mutlukadinlarakademisi.com/cgi-bin/g4ldq_0s0c68-8714953239/
https://holyurbanhotel.com/wp-content/HSVEcEvCF/
http://customernoble.com/cleaning/sKLNdWntI/
http://keikomimura.com/wp-admin/JpcOnLqcTr/


Creation Time	2019-09-16 6:30:00 (Docx based - Accept the license agreement)
SHA256:
5c01d00bb096038d3c1b11a0cb056590fe9734d93d6e9db0e71f5b90ded67889
ce4dc68ace8a94f11602e5a7eed7842062ca5c639e894cd856bd654d5f7d44ae
51f44deb419bb97e3f5d6757a1a92802ab07f3e338e094820a0e72d70e084efe
1b07db24d1f7bf59051fee6b5987a74fd300aed451153317a77c293dbbeb9ca7
e6561d81e4abd48f0dbdb2cc34b97c173cc2cfecbd0890b0547ee68b04e9e61e
c8252ddc30fa4674a3fff56ae3363fa04961d48b8ac4a319c3aa53f84b3ce597
41c0d49b0ecc112396da2b246d91520b7e5ae87f17470231098e0af1075d9a47
eee144531839763b15051badbbda9daae38f60c02abaa7794a046f96a68cd10b

https://autorepuestosdml.com/wp-content/CiloXIptI/
https://pep-egypt.com/eedy/xx3yspke7_l7jp5-430067348/
https://bondagetrip.com/wp-content/y0gm3xxs_hmnw8rq-764161699/
http://danangluxury.com/wp-content/uploads/KTgQsblu/
http://www.gcesab.com/wp-includes/customize/zUfJervuM/


SHA256s for Epoch 2 Payload EXEs seen on 09/16/19 #### (Newest on top)


3d67559445d6511418e18377c7d36a29ad7e85395af7ef10c3b7913d332b2b0a
22300315ac6ee90f2570db20e65d24012bdc361721ece2e8b12fd8daf1148e66
e75b95a3bde08bd3535f185d85f62f41ec0c87fc3a73ba0d6035b3f120639e67
1c8b3d2cf9871305c881e9ef3331b7579f624442dee49043fbaa2fe03d497b6d
6076e26a123aaff20c0529ab13b2c5f11259f481e43d62659b33517060bb63c5
10b706cfac5a268938cbd87c67ad33a58fd9e99cb7ad7d3d4b76e306723019f6
e635a83bce547181ed260875fe1604cb12cc59e321e6dea68bc82923e680f7a0
0e5dd233268954ecc084cda659cc3a4197e490835016d27c31cb6fe9daa5a086
8930664706c17540284b6dc0f12bd33720404924122e0900c2fcf88a4031199b
806a52294dc0b769bf5a8e5f4d1cc2d9c0bfcc9e3f6d9bec1327f954cdfc7f58
74e7d2b826b4dd468fbab74c53d430678a362c258ef7be1a7a06ba4b8091ab00
07479df41d7fea005d82941eb66fc4ad003d2c11b565339276214bd5d4464cd7
0f882f7469772cde21992f8ac5f50eb59f3d9a5271fc2d6199a503bd32e8baf1
22bb4f5cedd169ef7f8a6b5b6b186c94ff79a5e61eb6bde90bd1032ccf4c7936
43de547c9cdddafab9e902ad9d29a0d1d76dedfc6846c9a77c594ce3e7989ea2
10b706cfac5a268938cbd87c67ad33a58fd9e99cb7ad7d3d4b76e306723019f6
cb90b05535b95201a8311d4bf36d6bfb6ee0f613d8f56c61ba44c73acea73763
f13d2a7d2f1396c630f3c4c2d9e2317282cb57da6bd6de16f37852191825c6c6
e2e43bcad963966c26853772b5b559f0df8e28af9d11aecf3ccea7995b8ef717
8f05aa95aa7b2146ee490c2305a2450e58ce1d1e3103e6f9019767e5568f233e
61e0ac40dc2680aad77a71f1e6d845a37ab12aa8cd6b638d2dbcebe9195b0f67
30ce2cd88eeba300fc467d0ea8c192aeeb6eda4aca7f047d8044bc9e29d8a221
6f6d8e4633b451996f8b0f9041905272462a957e5800d05ac15290ffe2d11ee4
ea8ae00bc747888c0609727bf8a3e0de7fdaf3b6965303608917e137b4b1c7de
3833d99c2960611c425af15953f70489b9da6d052fe7b331afec5e8aa0a49fac
7080e1b236a19ed46ea28754916c43a7e8b68727c33cbf81b96077374f4dc205
4225076c5b5ebe8330ec6776b90ce797f9751bc6d07c51fc901f4190c14f38d1
4d3dd34346cbc7696ccee792725f536ece16d61c35896869eb3f134779c49c5a
3e4814fa4ed2faf58e48d3b3dc09537c192df7027d27b75135749b1b2d2370da
577311ac0b0c8e876a3318328d041ae53f0106a221902b37c66ec70b2f2f0ad8
0b37604c06fcdaf8de10ef39f601e0a05d4768e04d0d7ee1a3a8dc0a3079e924
6c21e9fe8d455b2b2c4e7170e0c0846ba75225d1d541e4db33c602a92ff5d5df
8ac0fbc25a731245b1674c20783731a7c86cb7a1547d52deb1390f51c0efe8ab
83d4aafc951a45ed97af674244b61267ed67fde1b9effd195dbea510a097f43b
f080820b1c0d3dad4b06735db33eafecd7d004e00ea3d0097f08a022ea589c6c
c9e77d36104005bf8e3386d06e26294ff3c22ad58ba28b1909be681cac64f58b
bf5ec419fc6a6ffb65ad0943edcd1ad3e612e5f0597c8d6ac4863ea219904f87
e90125cb9a75bb2a81fdcbc81d969e3ad8347d682af852814da5675d659d5ad7
1db7b19ab8600d3f8538f5497e149f207065e36300788755122b12a55ca05a60
343892c83a24488466c785ffde4b85e8c7d69019499a150beb94ccc85c489d62
9b4bf0c627e1f32f8dc5dfca3d6d873e99adf5865c5e4a6f4f9b43425ba60085
aa408a7bb6c5bd4d2936f32884540e644010c61420b6f64b4df38c5e6eb44ee5
ad261263e32d4bce3745a5cfe78b2b47d37e022e20f3079af2fe3230761bdd35
dcd608c24c50d2c2ff86419d21db10eea3264c4f2340eb82db17854c1f8ece88
5936e2143981d1792179527701c27af36470084b97685940a587e8df18047c78
1963dc690e0a45cc47aa8d5a0451cbb896be31c93e76c9033d8510dea2a4a580
b08a194bd345fa6c784f298142e1c78f8d533cf8812580c67d66b310e0f86c96
68445f9e4a56d8cda4fbcb45e59349f48af6d3f8ea1ed8698d5a0cbbb352df63
3b330c7f5395213055b3a6072ad7281372f4985d57ffed0d4c87aa22e8172afb
5bde3e9161ec51fbbfa98075f53e931a6a9146810ce31f85c1a1077393f1c51d
6dcabdc7212822bbd1f0435c4f6281cc4f5e33e3aa0e8f80d2fa990a4107b89d
d1086a2e1e0b04fc79ab70adb5811a11d42657f3db7bc179726d8d57154e385a
b8365d497705bb46ebcb0e779c78c95b7592dabe9ae45d66250d1f9176763499
6a05a914dd7d889ce887d6a71ae1487513630b3d3df52f0d0fae87b61fd075b7
69fcb9dfdcb9765a41b290d4a3e94b02c509f1b0326c8e6bf5e65c3f0ab7c332
ad72452ab04ab78da9c38230f2d0b5404a7cca0f8dc26231cadb63cb4f338331
4d7ffcdfe85cd3b3de6b768aa12cde0cace0e1b8508a0ca6931eda43516115a1
6c51bbb3d97b88c31882a0b8490b3bd347c8237aa640861e7e97fdea6655d2ed
4566bc66cf0bc4e1c96680db28e97fe9ae129e63ee64582a017fb0e62b8ea523
6f06872ff5ac11c64235e02e9ada2bac60a78343da519e9aed13b08276f11a42
d2f0260c778970fa178d5050f02f93bb06d2e98666fbd5ffed11594cee1053db

Epoch 1 C2s


109.104.79.48:8080
109.169.86.13:8080
123.168.4.66:22
125.99.61.162:7080
138.68.106.4:7080
149.62.173.247:8080
151.80.142.33:80
159.65.241.220:8080
178.79.163.131:8080
179.62.18.56:443
181.188.149.134:80
181.36.42.205:443
181.48.174.242:80
183.82.97.25:80
183.87.87.73:80
185.86.148.222:8080
186.83.133.253:8080
187.144.227.2:7080
187.155.233.46:443
187.188.166.192:80
187.242.204.142:80
190.1.37.125:443
190.19.42.131:80
190.230.60.129:80
200.21.90.6:8080
213.120.104.180:50000
43.229.62.186:8080
46.29.183.211:8080
62.210.142.58:8080
69.163.33.82:8080
72.47.248.48:8080
77.245.101.134:8080
80.85.87.122:8080
81.169.140.14:443
83.29.180.97:8080
88.250.223.190:8080
90.69.208.50:7080
91.205.215.57:7080
91.83.93.124:7080

Epoch 1 - Spam C2s

	
104.236.185.25:8080
31.31.78.203:8080
45.55.82.2:8080

Epoch 2 - Stealer C2s


66.228.32.31:443
198.50.170.27:8080
216.98.148.157:8080

Current Epoch 1 RSA Public Key


Old Key (Still works)
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAL9KRKWqcld40xbUZ6hRh+fPNkgJe7K+ 0y1rR0UFqc2SBmnyoR/2Ctd+8MRvU8zri2eNVkVBxCUH1Cthf3AEgRqY2kGva8gJ Wcqls3j7RztZzqFoL+wM9DNnz/OWuiyPAQIDAQAB

New Key
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOzoTryw1r9RxRJPFKalO4+q7JaDZWSB KZlEc22H6ITuE06tvJspue42TF1yk8xN+1bqW++QeV6Clm1uRswA/qoao/6p4eN0 h4zIO8PEaJ0C/9EO4cx9yfRLlVpjdEkP0QIDAQAB

Epoch 2 C2s


103.97.95.218:143
104.131.11.150:8080
104.236.246.93:8080
117.197.124.36:443
125.99.106.226:80
136.243.177.26:8080
138.201.140.110:8080
142.44.162.209:8080
144.139.247.220:80
149.202.153.252:8080
152.169.236.172:80
159.65.25.128:8080
162.243.125.212:8080
169.239.182.217:8080
173.212.203.26:8080
175.100.138.82:22
177.246.193.139:20
178.62.37.188:443
178.79.161.166:443
179.12.170.88:8080
179.32.19.219:22
182.176.106.43:995
182.176.132.213:8090
182.76.6.2:8080
185.94.252.13:443
186.4.172.5:443
186.4.172.5:8080
186.4.194.153:993
188.166.253.46:8080
189.209.217.49:80
190.145.67.134:8090
190.186.203.55:80
190.226.44.20:21
190.53.135.159:21
198.199.88.162:8080
201.212.57.109:80
201.250.11.236:50000
206.189.98.125:8080
211.63.71.72:8080
212.71.234.16:8080
217.160.182.191:8080
222.214.218.192:8080
31.12.67.62:7080
31.172.240.91:8080
37.157.194.134:443
37.208.39.59:7080
41.220.119.246:80
45.123.3.54:443
45.33.49.124:443
46.105.131.87:80
47.41.213.2:22
62.75.187.192:8080
64.13.225.150:8080
75.127.14.170:8080
78.24.219.147:8080
85.104.59.244:20
86.98.25.30:53
87.106.136.232:8080
87.106.139.101:8080
87.230.19.21:8080
88.156.97.210:80
91.205.215.66:8080
91.83.93.103:7080
92.222.125.16:7080
92.222.216.44:8080
92.51.129.249:4143
94.205.247.10:80
95.128.43.213:8080

Epoch 2 - Spam C2s


185.187.198.4:8080
198.58.114.91:8080
91.205.215.10:7080
	

Epoch 2 - Stealer C2s


46.105.131.69:443
176.31.200.130:8080
104.131.58.132:8080

Current Epoch 2 RSA Public Key


Old Key (Still works)
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMPLgcO0RQdJg/LTgiku57nH4KcLwHCx S0lbynOUhHhKjTnmENrMA2idUbK6hI0JRZtii9oJSlb3e5NZiCK+Qr/NB2u7ZNRc hG87aibm0ndS9xKDRXcmWwaQkF0PFuOHpwIDAQAB

New Key
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhALk+KlHgOKXm9eDkWu2yN9lanjwOm6W2 PV0tgr4msNVby2pOJ6S1MZQnQwxl7y6WWzT4kveAQhLmW8JB2M2PDOxZOgVMJH2C AtkVW1p/P9jNJWVvjK9SmrbLdIeiKNtRfQIDAQAB

Credits and Notes Section


WARNING - Some links may have been taken down shortly after I reported them to URLHaus.abuse.ch because they rock and report everything to ISPs as it
is confirmed to be malware. Additionally, this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
https://pastebin.com/u/jroosen
 
NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
I am providing them for your benefit in case you want to parse them to be sure.

What is Epoch 1 and Epoch 2?


What is Epoch 1 and Epoch 2? (updated 03/07/2019)

I have been tracking Epoch 1 and Epoch 2 since May of 2018. I called them Epoch 1 and Epoch 2 because they followed a different timescale of
payload updates and history. In short, Epoch 1 and 2 are two botnets with distinct C2 infrastructures with separate RSA keys for communications. 
Epoch 1 is currently the larger of the two botnets(MAR 2019) and I think it is the main push of Emotet currently. Epoch 1 WAS a smaller more 
rapidly changing version of Emotet at one point in the last half of 2018. Now Epoch 2 seems to be the smaller of the two since this time period.
This seems to change back and forth over a 6 month period. Despite having unique unshared C2 infrastructures, these two botnets have been seen 
to move bots from one to the other and show similar behaviors seemingly controlled by a single entity/group. E.g. going on breaks at the same 
time period. 
Here are some observations I have noted since I have been watching these botnets:

- Checking a document download site from Epoch 1 will deliver a document that is different than what is being delivered at the same time on an
Epoch 2 document download site. Specifically, Maldocs on Epoch 1 will have a different document creation times and payload quintets than those 
being delivered in maldocs on Epoch 2 at any one time.
- Document hashes change very 10 minutes on both Epochs while distribution/spamming are active.
- Document download and payload URLs tend to become orphaned as templates are changed out and they age. By 72 hours most are no longer updating.
- On Monday's of every week a new set of document download sites and usually templates to accompany them are generated early on 
Monday morning/Sunday night.
- Both Epoch's may share a host for binaries or documents but NEVER the same directory. Eg. Epoch 1 may have an EXE in directory host.tld/A and
Epoch 2 may have a document hosted on host.tld/B.
- The RSA keys will change every few months so for C2 communications on each Epoch/Botnet.
- Binaries for Epoch 1 payload sites are different than the binaries for Epoch 2 payload sites.
*- Binaries used to change hashes every 15 minutes to 2 hours but now (3/6/19) are changing every 5 minutes on distro.
- Each binary has a hard coded list of C2 sites unique to the Epoch it was derived from.
- C2s are never shared between Epochs/Botnets.
- Both Epoch 1 and 2 seem to go into "break" periods at the same time for several weeks. During this time binaries are updated every 2-4 hours
via C2 to stay ahead of AV defs.
- Spamming activity seems to cease on each botnet at around 00:00UTC each day. It usually starts back up around 07:00-08:00UTC each day.
- Spamming usually does not occur on weekends and the Emotet team seems to take weekends off.
- The easiest way to tell what botnet a sample is from, is to find the payload and then check the C2s/RSA Key. HINT - CAPE Sandbox makes this 
easy now, use it! Thanks to Kevin @CapeSandbox and @pollo290987!
- Changes in behavior are often deployed to one botnet and then to the other as if the first was a test. This has been observed for obfuscation,
spam template, word template, document type and even payload.

If I think of anything else to add or if anyone else has any suggestions, I will add them here.

Community Lists


https://www.malware-traffic-analysis.net/2019/09/16/index.html -@malware_traffic
https://pastebin.com/ZcULst7R - @p5yb34m
https://twitter.com/VK_Intel/status/1173805803167506432?s=20 - @VK_Intel

(sorry if we miss anybody, make sure we get it by @cryptolaemus1 in the post)

Credits


Combination work of the Cryptolaemus Team - https://paste.cryptolaemus.com/about/ and/or specifically the following:

Doc DL URLs - @devnullnoop, @p5yb34m, @malware_traffic, @dms1899, @Paladin3161

C2 info/RSA Keys - @devnullnoop, @MalwareTechBlog, @lazyactivist192, @VK_Intel, @Paladin3161

Payloads - @devnullnoop, @MalwareTechBlog, @lazyactivist192, @p5yb34m, @malware_traffic, @Paladin3161

Spam Templates - 

Special thanks to @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and 
helping out with this!

Very special thanks to @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project https://github.com/decalage2/ViperMonkey , 
@digitalocean, @mploessel, @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch, 
@urlscanio, @BlackLotusLabs, @TrendMicro and @Virustotal for providing services/software no charge to this cause!

Daily Log 09/16/19


@JRoosen here, Very short on time today. I decided it would be a good time to do a server migration last night and today was a
rolling dumpster fire. Still I want to take a few hours and combine the great work of the community and add a little of my experience
on the top to do a report today. We saw both botnets going strong today with malspam and new RSA keys show up on each botnet also. 
Will try to summarize quickly what was seen.

General News: 

Pretty much everyone was chiming in to say it is happening. *queue your Ron Paul gifs* 

Some interesting things to note:
Brad at @malware_traffic found that Emotet was dropping Trickbot gtag: mor1
https://www.malware-traffic-analysis.net/2019/09/16/index.html 

Any run saw the spike in traffic:
https://twitter.com/anyrun_app/status/1173536485607452673?s=20

@campuscodi posted about it:
https://twitter.com/campuscodi/status/1173565137300721664?s=20

As well as the good people at @bleepingcomputer:
https://twitter.com/BleepinComputer/status/1173694888212385793?s=20

Also @raashidbhatt shows a polish template:
https://twitter.com/raashidbhatt/status/1173518446534877184?s=20

Email Template Report:

Reply chain malspam was seen on E1 and E2. There was heavy spamming hitting the EU (Particularily DE, IT, PL and UK) with
CA and US targeted shortly after. 

Link Regex Report:

Only E2 seemed to be doing link based malspam but I am looking for more data. If anyone has E1 based link malspam please share.
Will get to these tomorrow or shortly.

Payloads Report:

Our own James Quinn @lazyactivist192 was on the case today finding the offsets and logging the key changes. The work for keys 
and C2s was primarily his. Binaries were updating on Distro quite quickly with C2 updating ever 3-4 hours. C2 binaries were on
a different hash busting path it seems also. Both Distros stopped around 1800 UTC for some reason and are "Stuck". 



C2 Report: 

After the big purge right after the wakeup last week, C2 combos have stayed pretty close to the usual 55-65 range. With the cylcing
in of about 6-7 new combos per day on each botnet.

C2s for E1 62 combos in total. - recorded above
C2s for E2 65 combos in total. - recorded above

Closing:

As fun as sleep derprivation is, time for me to sleep at 2:30am local time. Here are my thoughts on this now the gates of hell
are opened that I wrote last weekend but I never got to post:
There is no question now that Emotet is back and to my surprise both botnets may be going strong. Unfortunately, all the 
blocking of the static C2 list for over 3 months did not kill these bots. I am frankly surprised given all I saw the 
community, LEAs and ISPs do to take action on this. Despite all of these efforts, here we are again. Good luck to everyone
next week should the malspam spigot be opened. 

TT


Sandbox 09/16/19


Epoch 1 C2 run on 2019-09-17 at UTC - Tomorrow

Epoch 2 C2 run on 2019-09-17 at UTC - Tomorrow