Daily Emotet IoCs and Notes for 09/18/19

Emotet Malware Document links/IOCs for 09/18/19 as of 09/19/19 01:45 EDT

Notes and Credits at the bottom. Follow us on Twitter @cryptolaemus1 for more updates.


<none>



<none>



<none>


Payloads per Epoch by Document

Epoch 1 Payloads by Document SHA256 - All Times UTC #### (Newest on top)



Creation Time	2019-09-18 19:03:00 (Attachment Only - Docx based with embedded JSE - Protected View)
SHA256:
b5a9b073c35be4462f63e39f9d1a5df88aa146ae8a74978c624073b4dbe8bef8
a9654cbaccc8394389d791d865bd59766d45b20cd4b9e753ebee275a0d671af3
a35b700fc21adcbde82f1883584cb0353a2f1ce0839fea801f00d86e9866a4e5
7921256c11c83cbfe08f42648703fed477f6ca468de315ddaaeaa0c5a0229025

https://www.cityvisualization.com/wp-includes/88586/
https://87creationsmedia.com/wp-includes/zz90f27/
http://karencupp.com/vura1qw/s0li7q9/
http://www.magnumbd.com/wp-includes/w2vn93/
http://minmin96.xyz/wp-includes/l5vaemt6/


Creation Time	2019-09-18 14:38:00 (Attachment Only - Doc based - Protected View)
SHA256:
15a3596629f6772062ff562e943a574ed8b378ead279fb67be922d584abf731a
67bf25d1b01502974657fc85c823e2b765620e80ac29843fb5367f934c6e14af
185aad1ed76889c3bc266d57be88a308fe4e327cf628b00ba9bf5cd20f1b8537
a02ea75848580682d7bbaecb3b4fd991be2c46832f42daf9328dd3eec0825664
e1bce4d42b83a244af8cd06f990a20606602ea6cb6cc4ca5eee5e89abc601343
d1e721dd421d6bad1dcc2ac1b44c482f89cfc8bdb5a2d5ad744edb8fd47d41a5
09940bc30b89d0e269e0b1226e575459018309af1b612d6f6fbe3f6dea40b5cf
e22a9596f5f82e75feb46ab5c8690f25842fe03d03aa9cce41e9d8ba301268fe
c1f7f8b62bd82cb682f69cfeb9f05e2404e3de061d9ce06e2dbe586ec199e547
c6355ca1a2710e7fd4b2cd4ab4066c5fd46db99735166f1d3ee09780641ce382
f4903ce8ea06e78db686bccd687857f7129f425cb03b79ac39ee6a7ad5567d2e
0273ff39d3d80423866d88d377797daa3477c93a0aca537d18674d5dbc8817fa
44193897b15e5b25abd4fdaec44923b9b44eef2d49b330934bc47f91d6a82107
583a4805108c1e8eb72160e73c3359d54fff3240b57e5705364035428ab5d471
e5bb80609117df7494c7b5ce9b996c25bd06db8c82cd404484e84b8f2a15010c
2fc714f53a8a70cb55710477b662cf89039b83279fc24ab34a1e862dcfd926b5
cff8d68e20920ba54a2842961706a6d210ddc344194861f654de469e555259ca
9df2d703ae7175247156855b30d60cb132e98a7748ffbb476182e8bf78031530
83fd823455aa7341bfb8e4d9c9d092062505913668325b48d49f4ed8eafc8d99

http://thinhvuongmedia.com/wp-admin/n2keep7/
https://mnpasalubong.com/wp-admin/nsmz9az032/
http://trunganh.xyz/wp-content/uzq50/
https://iptivicini.com/npkx/jwpy938/
https://www.cezaevinegonder.com/conf/fd45/

Creation Time	2019-09-18 10:25:00 (Attachment Only - Doc based - Protected View)
SHA256:
75f68366e8b144b780ccf59e9ed7ddb89c5af57dac5b0ab80dcb053d91208e67
36ea49b2ded19e91a3e07d1cfc27ebb27e5889bd86d4ccd0bb4893f192c01a85
fdbb2b99702c4dfc9004f0ebb6a8c65183d67ccc1f5a614244ccd9d7c0881703
755b78935524886fa8c43b7a25f2292932dbe4779eec7e1ea4bcf8e65c3dbd49
38b00ebc637a043552847aa372906789377b42f8588b1c8477fb8cf1a39975a3
e34737fd1379f3ecbdd6f854cf00fc597057e3dedfe8df140232fc11961466ac
dbafda67f0ef7d86b4dce799bfa797c50b6f94560a347057f25fca79e08b4598
3cd19e6844c2a25029a5ed56a0d803298e006c1d62a87ae537718052109cf0ac
4a914195a0fe3ced9590abc67d5171ad425121c1774bd44b176ea02625ecc73a
3a6dde6fd3ad067cb05b8b1d6a6a8f91fb8cb6326b6f04bc8c68eca656ca6b08
09a904d15676cc6a188bfdae4eb18afc123b0ccc73693f2197c0c995946de11f
e20ac03386f55a13bc3bd048afbd6dfe25742ef1d3efdf350ba04c1afefd22e0
719c25a2922197a50e29dc13500c64715dad9b9f0da298af079e7e346b831ead
aed648985f14e2de723c4907f21b8028fbf1896ffb5a67b86fe3dcf8b6666016

http://brikee.com/gallery/4dcmn72430/
https://www.echelona.net/wp-content/tyh57769/
http://grupoeq.com/leds/dal52301/
http://kirstenbijlsma.com/ecp4/mhh20305/
http://paifi.net/ssfm/bm840/

Creation Time	2019:09:18 06:22 (Attachment Only - Doc based - Protected View)
SHA256:
01997bf9c459e1250484878af709735d9dc1343db78ee117e14056b28316bafa
1ce0bc0a3cecaa2241c21250e4b3d763529e94e858536a3687474084032e3980
825c80d062051acfbcaa45dcc3939da8866a6dc71f8da31cae4ac6feca9a3463
360f281360d3b69a414e4a9c367ed67a8401bfb1c6d1203d5d558400130b52e5
4dcfdbd73ec71eb47bec2b47b6805862b7b293abc8164b2f026d28e5f9faa84f
825c80d062051acfbcaa45dcc3939da8866a6dc71f8da31cae4ac6feca9a3463
5337010281693ce4799107545c9444a616ed6bb6cddc50905a114004fa4ccf4c
475d0fca066d6a90ec8fc6c38554f93f5c9c547d76a7714a3bfa72a8d2f45079
1183fb03a7aadf6028ad96311034c4541cf9784223692d7cb637dd0562b693b6
3f5a2ddf0ce35dcbb69bc07a247923226b7f1554788e4d913156c4df5587e0f7
fc3bf8ae50dba94341ef983729d33e4bcbf347412145ec41834701896a79ffda
ec61f28c35692cfad5b115c56f29e1aa5ea62425448cc42fe78392c1627545d1
a4bb536c33391f0217fbd4e62cad15dd0995078aa6277641b34493b06a45d54b
bf3fc32ab210d1583a926a1cb8777ac9f78d9615ba79dc7f79298526a42e34d0
d5b9cfc175db0e99d88e07d631e699068fac095a211d92afe8d7dc762bb0151d
e62936a928c0f2259973811d55f2bf018089b1532d0e59c2ace42921abf1d8bd
449e8d2c64a643f4ffc796b921a0996d3b4d06bc41fa374ac8bc899068bf7ca0

http://dirproperties.com/cgi-bin/fd14999/
http://run-germany.com/scripts/jc828208/
http://saxtorph.net/DOC/5ndqov018/
https://sukhumvithomes.com/sathorncondos.com/ucwna794/
http://vanscheers.com/cgi-bin/gorp7v455370/


Creation Time	2019:09:17 17:51	(Attachment Only - Doc based - Blue Office 365)
SHA256:
b3ac4bad78694e606ba685d44e10edca9307a356268edf15d41c765023b51010
581c365eaf2f810aad99863c554d1f250df2ee303c9730350ac26af80bfec379
6403f5c81411c98c3d86890d4b3787a334ca3b37e6e3d09ed8a148d2d64ebdb6
246560e045e5e090a4a165da0238cc7340fc85d4412cce1fc5592698f1206e00
0d19aa73c37bcbe27e9e3b3eaad9c5b02e8d27bf6656700388aa0b46365c9425
21cfcdac6e5f2d9ae30de0a6a2a31537a14766d3bb0d747ed76da07a9fb90433
7d31a000c8fc9ac94b74ec200eb7889ed31b2bd934e66f1c795d70d2806a916b
ede47da9bf4f9ac755b67561d1d3c6e3a8c90ac071f6f165bb8d430a107cf1b2
a35dbba6ee021b32447958ebb080cd92322df466c2176333da0aa6a8908a195c
f6e9f4bd578f0ce81b02105a8ca6fe1a3d5dcae69a207d131e3bd1427226c743
4f8e0f4215fe887f29e3f6351c826ac1cc6305305c43c800ff38e2933374dbac
e554334c4dcf2e1e4184191907b4d6c83d513c79ae71e25d2f9fa4bad22ee8b0

https://stackspay.com/wp-includes/0sxfg82114/
https://www.reza-khosravi.com/wp-content/q2/
http://w3brasil.com/sistema/p5q207/
https://www.pronhubhd.com/cgi-bin/m0cux6/
https://www.karenshealthfoods.com/wp-includes/95oos267/

Creation Time	2019:09:17 10:49:00 (Attachment Only - Docx based - Accept the license agreement)
SHA256:
2c5e35988c772ca2ecfbe0a4608a983244c4790aaf251800316d46f69eba19ad
3c1f66712738a67c4f8805b1580142181969041b62a9ac6bc2dfe0197cb50eca
34d2b83245696fa1dd24ef9ed4b33ef9172e9f6e274928628bd24c1de0763b47
bf0ef180e13f8ac6fb5f147a7773a688f1d54fc6f478ca90ac403074eae33a21
eb4571b997aaf51434fa77fcecd83cda43489882eeaae99c680859f54b47429b
65ed503aa5df39bc7549a1f214248e65642e0aca37baf8de16c879f4aa41f266
8b8f082d17bf74b4be2eaffe167bb0e228052366ec07ee8fb3bdc2ac3d8a314c
c18c17e19cbd27f03f6fd71d4134c325706c9af836d641ed389029d7d7ef18a4
95ca385f5ccd5e1ece5d34148fd82d01eebd1194308108a951650059cf09160e
08c9f6ca7ae476b878ff40120a051af4aea32eeb2be40a4b052f3ee35e29a4a0
4c33a6fcc83d536e49d620fc48d8719984f4d16de4c48081c25483122a0209e3
ce8542b000044b2a84f282bc0b0935debb8a39eb36eb293f528c7dc3280d9e5c

http://fitchciapara.com/wp-admin/rau3e7/
https://www.internetshoppy.com/wp-includes/971426/
https://blog.medkad.com/wp-admin/e9684/
http://www.sirijayareddypsychologist.com/roawk/0kwsol940/
http://komatireddy.net/wp-content/911968/

Creation Time	2019:09:17 06:17:00 (Attachment Only - Docx based - Accept the license agreement)
SHA256:
76e96261a65bb317f4172d624456d5c309c9d051103b987453eb9963ec8a92f0
c10f92893f43eea05733b1b4b8ec0d8aac8573a5da19c79a26f2edec85aa80fe
23a1816874f187f506dcec05e215e6aa9ad2e5aa5ae724fde708d09811211927
0029ae9d5f47187d586e165f0c8d6570f45b02b5119ec1017db53f361c00a64e
3cc81f3afddb01557b191ea19b85f9741814c3d91740979244e8a6f54c1dd27d
7ff1f47725f414bc141e1fbedcd39f75b6248bbba554183937d675f7f1e158f5
78789d26eca37d1a801133bda3765085a3115e67ef8f9336c2603888e4517a0b

https://gpmandiri.com/wp-includes/5u9493/
http://ketabnema.com/sitemap/uenjlbm4074/
https://www.njb-gmbh.com/wp-admin/o2p1fm4237/
https://brkhukuk.com/wp-admin/1xk1qcm0404/
https://interpathlaboratories.com/wp-admin/bn67564/


SHA256s for Epoch 1 Payload EXEs seen on 09/18/19 #### (Newest on top)


23bb7590d1f79e552182bf686882d05f31035b76be173b24308ea374bdeaf58d
8deb508a95178d159b43da93160ff6d64c5ad468f1f91e222021eba9292954a1
f3679c5fcfba9a2305477378495291f070f4602380f986839801d614320cf65c
94748d9e061b57b1c04be9966c30f8dbb390d073140be46c4be4aef5b2315fa2
d2f7affdd9a9c6fd06911934ae409a2922e02619233305b074224f6f08229f39
594ef82d8231a52c0bb564a4b46afd87b75813d1ad9f29414286216b2eaa0920
309db6c75c9878ca3297382833cba690a4d81baadc206689f344aca0dcc74d5a
e73b7d9172d1200f45ada487a5aa4d0a641a33cce0cb3d7078908be0293c21f5
f599cebdfed9fd070a1ec3f1c5da758a99a34f7c34b82f3aab109dbdd6884ad5
7d2b45d3dc790cc7ba185e2401d19dd92f406d3aa2244598b82827bada6e2ca0
1057b6a2de11cf5a4cd02ca63a0358e752958cb2071072d9aa18ce9af429c8b0
fddbf337fde21c0d948ac8e0f7878065655324f4b17db53cb9f912e978c61bf6
6e44750084848cd5370fbfac2e2633ecfe78ec5e47a158b1253d1301d198089c
a0fedd6c211bf5ca4daecd8bd7692ed695affb940295b9cf56900ead2f1501f7
1d9d30b657cc82fa0397eed989c55bfba0e36c0e86649da3a415f93d4ebd8368
6006c3811e6f9a593d81dd654e809374e52c890a50f3b37214c214652bf837e8
97a0ccdb1a7fe09194b55c511da8f0d8fad771552f0ddfb4590f9cabc6c50c39
57c6aa9c0bbe5128d5a973b9d54f89580dda7e7e74e0c33f11a931b5ea7c85da
808599731e8fb31e34698279017f4089a96dbfae8dae9792074668f7c2dbdbc2
2e7d08e3849bc46efa5adf0534cabde27f0d6594d496d4860d1c341909a745b7
f00d4a1f4b6dfdf0f87cd7d9703097b5784558e36bf6f8eff875978b5aecb308
e3d787ba2e917f95458a133150928c4ade94312a660376adb4d6db6f51267a54
64b4579254159ab523b798c325aa1c8c1ae803916b6e540d4e77dce8528df28c
7e382b9387df2935ab3893349b2ae3b3109e5fd472bfcfcbe2fb1375de822f9e
c1d8e0dd90d7fd2fc854203267c087129e91138b9aa8b95ca233310cb734740f
88782073c5f89d505a2537b6afa0dd8a79fb9400a43b4db347aef287fd747de0
8b3940be43fcd410777ade2db8c3a3a717d14c610229fffd0ea475ecbbf8e75c
a2c913e6bd67035590680d7bee92286e05dc5b35996d64793af2f75077f181b9


Epoch 2 Payloads by Document SHA256 - All Times UTC #### (Newest on top)


Creation Time	2019-09-18 19:03:00	(Attachment Only - Docx based with embedded JSE - Protected View)
SHA256:
492200f1889c3f0351bfb8829f4c9c0e75e49ca7236594c69b503968a2203a0c
9371ff0a86790bb9e2fa2a6255d6ecc4ceaef9453ea6b69d7d31302d34fb92f3

https://www.wuus.org.cn/3eusq/ly5js61iu_f07y3m4-5718594/
http://proslandvietnam.com/css/b8u3_00lsmx0zgc-495/
http://nympropiedades.cl/wp-admin/iq3pr_81osc29-842240/
http://picnicapp.co.uk/wp-includes/vLFkVtMg/
https://www.bildideen.site/wp-includes/wtjFNonb/


Creation Time	2019:09:18 14:32	(Attachment Only - Doc based - Protected View)
SHA256:
203d07f2686d1cb2849b204e2884b27c1e70f6049cfa280c5831c5209db12393
7b2142363813a41fd3a512ca6bbd2e3d73d274558f58ca990d78a1537ebfcbd8
e52d9448e78d875f07fc9cdbe18ebbf755a69b95aec37d147d0ce509de3e7c66
5c39f7d201d031baea0aa681c8b159c59beaca86729cb6cbaaa1b3d30b7386ed
4745993c2538522d79efc7406292f2e9429efd8ab52a81f7919173d3e3e1bdcc
7a72d0ebc33c4783b64a8cfb1c31c2e81ce1f4a0833c691783f5aa8e998ab7ac
b6e8132c9284fc40ed53bd0fd11363ab05f7a4a54ea53dfbf69d8380b0238af1
f413e1b7c64a5c2a3cf534b1f2461c57f3f4cd409797f3b63ee5f2714f3f9c22
62e147f40b55a9c44c9bfed3b6cef7ec260075f7e17385914ee87e4ac7967e00
aa8cef9d0598417bb9e25c165cbcc306ed4c466726943d32b944c8abdb97efb9

https://www.patrickglobalusa.com/wp-admin/fSRkAFjqv/
https://pipizhanzhang.com/wp-admin/3ciornz_iulayscz-679646/
https://tankhoi.vn/wp-includes/XTSugzNaz/
https://www.supercrystal.am/wp-admin/PdMInSgs/
https://hotel-bristol.lu/dlry/MAnJIPnY/


Creation Time	2019:09:18 06:25	(Attachment Only - Doc based - Protected View)
SHA256:
3bb3f51c6389095a28d24cae5612b884d6908a6c2b96faffcaf6191cbab7f285
1c42d4b099223ac713f83dabb6dd66ea15be112f3e4da062d9f5e9c6c0b2dd0a
dd442fc6c3db3f41e8068555b522b6e6dab4f2bc234f5676941c7e15a76c5d85
1274dd5dd2bc9b4c7a37b6ee901fcf5aa8763c1e7c3f1aef160d2034e0ffc9db
20e3ff86f8d4187f7c24a65971bdf430209dcf5a5c688233c996197afc60eb6d
5d9074f7b096f8e2beef12adcc34389826fd7047e6db1b7ad7987b6426660345
e3b86e4b26e65fc6f8ea29edfac3f88790fd578f0a0d4ff62293e7251c291bf1
9ba509dd67f58781c0183818a2d3bd09f106a53dcc6347dc7c8c2e804a17ebf9
7ca5c4a07813ee202833a7e81ff946186641b7b7244c2fa3a941d3a056648db9
fb4e1c1e2cbdefea107b0b4c1975b252d2f48db4a8b38afb7198dfefe1c818e9
15ccc052b68c5810289d342a5948f85182c5cc1e986376f14cf9fb59aed90b11
70cc040393abf70571b1eba5d205b9aa1e56d3415d422dc9607a0ee9d400addd
7650c46d99e30ac4678c5e390e71dc770fe5b5cede6c491d6a1382a855df08df
e39d15deb293e51f7aa1c9dcae995aa61cb4848bf908d0d9b2bfcbea791a3b52
c3363f7026bab3a44561745c749a0a5b3d8b444a2dcc25f78423df6c2f87bc08
7fb5be103a91415ae30d59797f2804f102d0101f223a2c52cd62174e536ba7df
f4c13de897d181917fbb9f6e20df405cb093e1417789be348b496c6740af7cd4
e390f85b04ea7c826aac049170e915dc04ed1e9763e1163145404f14469551b3
7818a8583af67f1e49db54d231cc7ce728217262b0318979f9871abd6f120e44
7e93c332bc5aec32fdcfb7feae457032e4c42408d7dadb04a7d31c61deb22102
b4640705afb53530f51f23f931c0f35592c456e897f5858c48587682d78082cc
0eeaa9b6bfa6fccadd06807466edd3b6e8e573c827a80ebd14144131083bad13
6efe653a4f167bc134194383e0804841b20913f932280e70eea5e35d35f15915
c7be7c3546a65937333fbc094586515a2415f7b54e29558f8f4337e18cd50eb9
b57545580b3fa9582bd35ef2f76ee447eceb3d3e9ba2f187e90d080ca2e2a5e1
7818a8583af67f1e49db54d231cc7ce728217262b0318979f9871abd6f120e44
c22cf047ae5d11fb1b825f2d9d12b2388bcd766a61c98299c831d6ee19e8bf98
645a6c69822672372ba9c952c80b144b87646b4257bac4ad4888bdbbf5cbbe9e

http://shael.org/hosting/TYXchcKkHz/
http://www.lottizzazionesavarra.it/wp-admin/zMifZDPur/
https://herrenmode.tk/5usqjlew/ttg22zcf_q5chov-377215/
http://nfbio.com/img/upload_Image/edm/pic_2/u6q4ucq7_hyg8uzhh-369963559/
http://endofhisrope.net/2008-08_PSBearDonate/qmiuOZvDj/


Creation Time	2019:09:17 18:40	(Attachment Only - rtf based - Accept the license agreement)
SHA256:
a582abc9959dc6bf4f194137346f8b1499ea16a3323f6fa9788fee7222e005da
70806f99f7f064a0de78179b272b157132705d2ea8b7b304d8e00dbd5af17925
a582abc9959dc6bf4f194137346f8b1499ea16a3323f6fa9788fee7222e005da
33cba618d674f70209c0baf6681edbb947e1f74fd30bf2060f8c99b44b90f91e
2d3ee28cbaf2d5ce25485c102c8eb5156181f6a77a9c21ae08bca23ce70bf648
a492d83b9218e1c55c12c2c5d581f871175ff6e8ed6d4b53cbbaae4eba856a5a
3b8dcbe357c69971faa80c48316e7587fcc5a0e0c6243772e3c61f75f669cd36

https://www.randomelements.co.uk/tfmuz14/lfEcgPfoq/
https://www.wanbuy.net/wp-includes/1njjz_tnye71hdc-64236/
http://www.perubakes.ml/wp-includes/d7k2_pvffym7oz-9913706/
http://foxnib.com/c3uftcyx/mg8jp0zp0_0gtxu-17/
https://clubedoestudante.net.br/wp/RcQUCaJC/

Creation Time	2019:09:17 10:36:00	(Docx based - Accept the license agreement)
SHA256:
9fe890f4a1393ef301e24b02ab3c173f230ad7a982808ce6daf130c861422208
1a6a015dc1f9f6613a6985242037198cb3449d74694e0f759d4787e866d723b1
c3008e9a03adfd6c38977a19ab58fb4fc6e4a9efcba3b8904a52f4e03a6aec67
294566e0ea5c9c1799e88e60515941f4b2378c3922bd2186abf2115cb74bd4fb
970f8a5fa9f4fac079dd454f0bf310844594e7409f96aaa32198a2fa2b8bf496
f66455a0741d598fcc588487c45d00bc38200c0c6aa8882f42d80aac35755913
f7c74161c5207c1c29bfb9d7819c198492383af0e50dbe2bdb9d92bfc8416228
8c7ef5a2e3d1dcf21b299b92bb25f0f27394434d6970a7bb118b5105cb9c013f
d2d0e76dfaf8de51d4a0b7cd5ebd0335c0ec5c48db4c29672f5e93c7ebe5f2ec
373b47d463e44a804d7d96c608b5ce63bd47bd5a771700e31d03f37db003aabe
3b219e22b7710e28261412a4f30eb0cf2275a574ebbfcdcf60be33017033a7fa
16fc49eb29963ddd1f26ddc5fe3641d442203e0d02bc94b8aac4e89f8d0b20be
ccfc24bc3390c2031f73cd4238009315b5a171ccdedb436ff89cbc4881ab7016
9b2924585f99809491c11d8531f7c7af24cd43e8f1bd1bda5cc1ed01b517e37f
486783e0d46f9109a88a49d28ca2ecc80f16d17b0c3c061c3a020c47dbeaa6f9
2a820ad1d8e5d9a9f6784ebfe923d0f04e21aafdb92f4c5690a8eef478ed7859
d80f4801c5a57425d47c7927005c8e28998b7c2e278df3b748f9df3b40e1f713
92e7008a245ee8368d3f1874b37435c7fa3a785347c8eff53c122c1f122a195c
315130b83a7f72b9a2dc0d80e2f7ab655840e18a317e681359280f9044a08672
dab4d2b81481a0f61c8a0ed234ea66b80e94c0807dbb5a6a2de3d202a75cef7a
1848522165ace7ce9ff1f53e88039ed69275387510e16fa2329e97ef5b4f32f1
81b8847ec43cf7dd13778e8ce7a6b891aadc6840218db937ebd9c705db87ec77
018599fbe46df0a07db76894a61c7ad4f7cb1fa2fff9ff9a7ba9257f6e3f2396
c5ab2f42e3cedcab4419bcdfbf6942e767f6b180cb240cf35ad94acac850e744
b966e5e26cc174f2653f201b89e78527546deddf40d0636296ce22d3d7d9c311
9fc914aed1f80f3f61017d771e183f3579a16b9e6db8713984088e84e947b230
907f9ad5a331dc074f21e4774f272e5f23cff189e480c0211bbf84667da49765
907f9ad5a331dc074f21e4774f272e5f23cff189e480c0211bbf84667da49765
dd97442f6ab0ced920894b956096ec3100a44dff6ea98a64300831d39eb1943a
980de188ea70ff424ac12f58f162af0d25d462a81238af1999d5fd01bad86ed7
fcd33673c55fc7e18ac1c551c921c5eb07a06f359cf17c72ed8b9f028d820d43
e2e5332d03d72db8f5a17a08afcc61896f81b7159602c312460c0725f4c62afd
1b87e582570698d2b8a86c848a381a15cede79f3edfef972e3717d1109c94494
1653888c8df3d948ae5304995c366395ada6d04df1286c31766f45972bef70a5
f89731c8e6cc34608531bfb1cb5aa7a91f5c73d29e75ec8bcf7062048b718ba2
7f54968aaf31bf88392e5dcc8f33b202a60134554dc28d415600f6bd270539da
bb004c5f5314522439f9ac498d1b88a40ab3671bcb9afa60453fa664bd1db4e1
e9053bf42b30a14c12d6bbf372a90fe83fea082074ac82bcd675c85ad9cc7a08
9e73d4891b1e26790a7d54b4797b203ce598ff3724199ae9628d3de9e878434f
7acfad68bd1636e23b5fcf7fa948f37fe6b55aa65e50227a7383e48773817e66
d3e1412b028439ac119eaa35c19b976426dc1ce4cb2f77bd6df06c638af967ea
76307e4d81b03744b0f26d389017ba08da6123d52c150d53f7ac93363147b350
6f0cd32b2c5ede784297c4b229e16548b8737bf021cc690d907fbf50a2c630b6
e8681714b8d9cbac7d8c45f5503316f694546569194e882e6c279ab284930f53
53e6def7839ac12acf3dd01780f2d754f712a1865c8e8418b31f90f17447e523
be44975fcf708de8c8f4915046cb5e9710b02f47ecc156dd499a9dbc883b54a8
f06d1abada97c93d7f65d8daddf46fdf35fedc33d27a3bd55fdc9a4687aed238
4e06546e19285495330037973a2650c91a0ae20f58e1131dcc63b30272c1b0aa
bb5c969551fb12a1b5d2a09638bf92d9b0f516634be00084e63309b6df314051
482df5bf63299d66ee877eb5ed9ca8ad68fbc0b1ea87f5d368b4672f7e8f7112
c4c46d71907fcf06235ef0dbb6233b2d407a088a029361f20f81d2f5d37369f7

https://www.59055.cn/wp-content/f7c18_onqapey8-49048/
https://www.xinlou.info/wp-content/zomusjj_rgsps3-791960/
https://larissalinhares.com.br/wp-admin/ttzTQwatYY/
https://toptarotist.nl/cgi-bin/r1y59l_283xx-97329804/
http://www.robotechcity.com/wp-content/nyCCqximrj/

Creation Time	2019:09:17 06:08:00	(Docx based - Accept the license agreement)
SHA256:
c6880efe4062e3254f3371baf586afe7b0abfc6cb15e1802c3d401ffb57c9bb2
0bfdb7c16ea90ca488091dd91c529600fccd023b99a4d2d0fbdb542a5447f757
7de6cef7ae4d09a7dc710ecf60e938710637f9e4a4cb31ab2f5f037d961da1a0
c75751d0d1c623158e45dd65bc79e4071a8f590c92892b939d42816286f9df40
c75751d0d1c623158e45dd65bc79e4071a8f590c92892b939d42816286f9df40
4fc91dccc92a16a3756a3d6b5955462533611d03765a36e0555faa7ee8c595d3
408de3e3f0b8cbe63f7e31b408f2c0173c9b7687e3e7b8bc5acbf57a73f52309
e12b9616768a97b6d3b368b9c9a35a269495fc3a5f2272ac6391b55df927fd95
1986674bce852ad112adb646ce5844c237dd81dfb66e5aeefd1a8428ac7d7de9
a6969d658c428af2e3d9557544048155a1aefdb5ae02c5d2c76c834b0302f1dd
6c002c186596a1584507c47a6adcd05939430aa12231c8c5f7d5604ea6f6937b
97fa8af4227693fff6c84b7c0f1d9157eac15dca37537bb2fe8f9e53fdfed112
e63978bfd491b351ce03b38f28018fd2d27b3c64db5508d8775bce37a3d64068
c7702e498489aaa115c5f39d1ba16687750a8d6722a335d803dfc79f148974ed
569960ebecbf0e9b2db5237d98e5bdf49effbc58d93b48bdc19f54c33fa1fd58
1ac1339bef3b3af22a21b773c3ca02aa0d4b91bb64956245869b9a1a629dfb5d
6ab480a6f6ff404049f13b52903cb8c5502af57732c5c5d268b523ac4b0a4034
f4f27a7c4bdae3ea41e498081d9ab595130f025009bf630a8904e3c1ae1ba233
ca2c057bfd2de086bb34ca6086ab1f6d95c0787ef4188a0410948f65b02d3a6f
8b77aa604f61e476035ed606648debd481fe3958826870ce2e9936649888e907
910e4106584163b9ac811530207d76cbaf09663266cc0d5e1d280c5260bac182
5f911c16ce697dfa570b6dfc49ad3336de2eeb5dd6220764470b570b54437a16
8f78f512d3d31d330ec66b5a0f6591530c98be95c930becb709669bb2f7a4e3f
26537bbe3ad050882fe631ceb89d091fb896c14cfc5e858ae25df196cfbcf2ac
ae6cc69539214162748e3bf5a7205250773f1f9524dcd8608fd24e84bc346e8a
ac562e7935b52ecb175701ee4e5685674fb9ba73d25111c74bd22e896bda23c1
34f6d590ab5cf40a3b69cd72e2bb79d48853b212ce0077538994d6c74ae68296
c3000990b6241738f623398dcca4f3e9a4c8fca0e3cef841802ec414f8e5dfdf
577a13b37fa869efdd7b55c2b4adf57862b97dabff23b60f00d21b212cc06d6f
dd54fa680448e15c87aaa1a9fcfbe8043a33374ca7157fb0d160701e5c59c214
b71d94535403330947c1faa9be7eb6d9e2c175c02d803d878319c52bb1fbea6c
515ee84618a9fdf820100d3a081d1a8bd7839ebe80c9b0044cd35d712a235182

http://maceju.com/blog/wp-content/uploads/ke35rmm8a_lks5g8-82/
https://maymaychihai.com/wp-admin/MgBWkjXP/
http://jannahqu.org/wp-content/c72aexcrys_zuuy0kvr6r-8372/
http://szmoldparts.com/wp-admin/nHqceUHmJ/
http://nomadztruck.com/wp-content/uploads/SfwpziJD/

SHA256s for Epoch 2 Payload EXEs seen on 09/18/19 #### (Newest on top)


4d8acd99b8e8b1e40b64b35dcee753a3f9073847ec1e8957e793dab849140c29
6bbc1fc04607dc91b4bc52faafb15b3c5a51778bc59487684d3dfa64a1c85a71
5a67047d3fb53be7ec8ca8bfb263a3b3e05aa93a089d674b91a0d252e0b0c8ef
f328a0876b9806078eca40e09bd723463996630d9bb1457a36ea4353d00c8eab
c9b60d1567424c3ce1038e46b2eb41cd6ecb06d314062cfc29d65321609e5de2
cb92e490eff25ed3f275f14b15ef1cda794970d6d4ddf46279d333553051af26
0fae6c3af5c0ef961cd310ef6dfad78d4efc9dc228bf0fd9fe1deb4e2b8c4e8f
6fe29dacf133d35e2080fbabd36595b3acde1ccf3a93ce1cc03f5c68c16d3d49
63ca489e319ed939ebf9a7b7ee4c694cc027a6f81c6584c76fdaf146e5812776
6580fb801190866204d0bf9f8339fd1ba661fb54fefde2807fe1ed6954173028
d1f4d2eb619f40c6d029d3d7db69ab5243f13764cde34be2d7615d7fcc51f896
8bfd54b812d52486e2b5f8d9915b94bf337e9e70272fe15524e56f1bdd96ee20
fad0f60716c31c81b3af488118da8e01165a1711c82bd15e454eb408aa925f5a
c6956ba0b2c1649230a1f6d23e3649a9f60607b8958c6ff765a30d07eefa4452
f448d4ee7c677b03fc3f2e0cfbd841f3361d2b4e7e85dc170c1a6eeee3e9711d
3a4fd102f184d7bf0f86a6293768c3ec25995d8557ace103397e02679ed85202
9f1f91690c309dfa0ff0ea7feb55461b416f99bfbe9861255cc8119cbffeef66
563058089e2ea5ec592a28221b720c1599a94c55fb21ca0901f22639d8d5ea5a
187c043e2ca4afc9bb749343bfa86d71ba4c27f48ae24493e32e5f24a8a5f678
a9eb1827847a8d138cd4ff4aa1a061982200f3dde7b8e8a6ea217be001c94002
8c35139ae0dd0ae28353c0ec45cabe8628f27236dca06930536bf9d745c4a30a
cbb891687bd4dfaf99fe1cd98fbc39887822a4a00df6eaff34505cd8a7d6546d
10d48e0f73575123ead8003f955c689e585c39d23835947f5ff79fa83ec48175
74a66a1148d715fd7901aefbf07563d505ccb861a48f10a91d2198de0a441812
43fbcb882f2b1c9fed152e41e944ea023dbb3d3b9de0a4a3e507f5211ec24225
d07148d27082571f7ade59a37e44d618316a45e96f1db6f260e888fdbf6faa3c
46d03d1c8dda57b69f327e3ef9f242f6e6389a8696b918558eddd67e78850362
5f208601e2b4cb36e2fc220e201e59eb025e4686070eef535a51de6de89e0a72
5f5ac6b315e30a2dd7ba704e5a790e5760b9de75c0eb908d5fe672b53dd4dbee
fc81e3737774f617528664c56969a27515404720faa4e7aa396f6870ea106132
ac3542968fd7a626d10916452d1c1b6a1d3f23022109ebb28e45f1809a3f313a
2d94064e58ff267c9231def715dd1e9c01f88cbbea49d5fcf0ec06bd47de8b98
e05795787afee605b45484cf74306603f7ac09ff20a69966901143ec39cad466
dca789ccf64d9aa572b43d102dea2a7605b9cb9396ec5b29e11514ee088b7dd8
ab4bae99ce6e421071d511867827a3c448f4858f5771a4efc1934ebc48c51ada
1f0bb28bb47cd80b08ffd08740ca47b91964c637bb5de23361a2ba41fa31db9c


Epoch 3 Payloads by Document SHA256 - All Times UTC #### (Newest on top)


Creation Time	2019:09:18 15:20	(Attachment Only - Doc based - Protected View)
SHA256:
291108e76aa29a2cffe54fbb938938f3c0b3495276481b7fd92869188828b35d
64e94504ab11f0fe3f3207da28902e9d699707d95478e22dbeca0de669dfad5e
67b949c40e680b32757b8e60fe0a01a1a08781e8af7756e563fc26d985032977
705cb2b6dede75c722a0b001ed9797b729465f113286b495a4e8e78998ac557a
cd64df4432b53cd92db53b9a424a86b4df0ea3c50de36ab8fc967751423b156e
f44386cd1fb4acae231833634044f4c219d6b72c03f9a7dacf98a25db3dbc889

https://www.brooklynlilly.com/wp-content/PyVMSpAl/
http://blog.internationalfertilityacademy.com/wp-content/plugins/classic-editor/jzbNbooyL/
http://marcofama.it/mail-icons/lwnei7-dxih50s9p-883209316/
http://think1.com/wp-content/ktTAcbN/
http://drapart.org/Prensa/k0viv68-5v5-2137/


Creation Time	2019:09:18 06:34	(Attachment Only - Doc based - Protected View)
SHA256:
102786cf9bf58279d2564e81a98a3a3db9837e6a63c299372946da66c8da128d
674babcd87c78efd5fd0497c4089ddc548361a2eccea80fc93e693ab26682c90
0bcba8185e0801f427ecdbc93b5e7691065e315f56a29525cd9c83e42bead7a9
65d30eac355e49c33b4152afb0c5b4ae43002299e994a7461106beef908f040f
9a064ef8d927384d69879f5711cdd91dd26b6a1b53ba40c0642b185a9c1d05eb
5227f61a42d3dce99a3c607ed66b1cb4b65703c4fe1846f31d5c254d67f525ef
6a911ce34b005cf9abd4468df82caf441b69eb45c00bca5fa03b5b636f0a5110
bb79ab15d8913361881f564ad2368be86c5fc55aeb829057c95a55dffd781071
ac4ce5a9ca0a1dcf08f157a555029d8803faf9b8f92eba1e071605f31fd6cfbd
4aa2be4d10eed47e6e2a82cc61bc012da82b39bf0b9ff214a21ce7b4eb6a05d4
68cf954a2ac70d69005dd78276beb58690d3dc3959f24e706a35116e4e873a38
870901eb42447a5c2735977e211f7064d038ba01031f17137058d5f9f7c57be9

http://higo.net/JupvMyhM/
http://kursy-bhp-sieradz.pl/pub/dDqkeXb/
http://lesantivirus.net/css/qj199-j311-12675/
http://leafdesign.jp/imge/QfFPZDeO/
http://tpc.hu/arlista/OmwmIQkgP/


SHA256s for Epoch 3 Payload EXEs seen on 09/18/19 #### (Newest on top)



7d16ff3bbf102fdbf9ae57a989c374af5ae0c35f479ef96c6b1d7b70239c61fc
cd60405e73b8aef34208e8cc737353bf6430615e7f931d5850162a912932dfac
ebbfb63ec9e4eecc19ef5b646b07b5321a64ae7dd04c5d53260a9b6e5ee49435
8a8191e04bc54c70efff447d15c8879e3787fdb4457f78572c45819087180312
a194476031faab308e1df330874d3ee3ada33643e1175ebb04ca8ce8dc7e79be
4c1b66e17da3a3b2345ae4d61b98932e689ed3bbc62be85070971fe1ec4b36df
7f13b9531f35abd6c53a4d130b31aed491639300230bb8731c9d74dbe3033fd5
c1b13b6c15034d297c209059fcc3550e92075d2544e04ddd180f1714db5a0281
d64f0173d83b2d0b9ced81a05cc7721fe16fc403a2f8c46c599048619a70fe44
51683ec664865c346f79a8cd7874e8bc7f14d711573443941080b801d565c264
892e9d54abdfdce0cbf824f53349920d18c2399be1d8ee09103bf98c49f589e2
601e39f53fce47ab29c03ded6f2def7d170ad0d24130830e8a6aff96184b413f
f3679c5fcfba9a2305477378495291f070f4602380f986839801d614320cf65c
94748d9e061b57b1c04be9966c30f8dbb390d073140be46c4be4aef5b2315fa2
594ef82d8231a52c0bb564a4b46afd87b75813d1ad9f29414286216b2eaa0920
99446d4e8017f6bc1277310c5c3a0fc1d9cbdab9d34c5022125feaab3a595537
309db6c75c9878ca3297382833cba690a4d81baadc206689f344aca0dcc74d5a
e73b7d9172d1200f45ada487a5aa4d0a641a33cce0cb3d7078908be0293c21f5
f599cebdfed9fd070a1ec3f1c5da758a99a34f7c34b82f3aab109dbdd6884ad5
7d2b45d3dc790cc7ba185e2401d19dd92f406d3aa2244598b82827bada6e2ca0

C2’s Per Epoch

Epoch 1 C2s


104.236.243.129:8080
109.104.79.48:8080
109.169.86.13:8080
119.59.124.163:8080
123.168.4.66:22
138.68.106.4:7080
149.62.173.247:8080
151.80.142.33:80
159.203.204.126:8080
178.79.163.131:8080
179.62.18.56:443
181.188.149.134:80
181.36.42.205:443
181.81.143.108:80
183.82.97.25:80
183.87.87.73:80
185.86.148.222:8080
186.83.133.253:8080
187.155.233.46:443
187.188.166.192:80
189.129.4.186:80
189.244.245.238:80
190.1.37.125:443
190.117.206.153:443
190.19.42.131:80
190.200.64.180:7080
190.221.50.210:8080
190.230.60.129:80
190.230.60.129:80
198.199.106.229:8080
200.21.90.6:8080
200.57.102.71:8443
200.58.171.51:80
201.163.74.202:443
203.25.159.3:8080
207.180.208.175:8080
217.113.27.158:443
217.199.175.216:8080
23.92.22.225:7080
46.21.105.59:8080
46.29.183.211:8080
46.41.151.103:8080
5.196.35.138:7080
5.77.13.70:80
50.28.51.143:8080
51.15.8.192:8080
62.210.142.58:8080
62.75.143.100:7080
71.244.60.230:7080
71.244.60.231:7080
77.245.101.134:8080
77.55.211.77:8080
79.127.57.42:80
79.143.182.254:8080
80.85.87.122:8080
81.169.140.14:443
86.42.166.147:80
88.250.223.190:8080
89.188.124.145:443
91.205.215.57:7080
91.83.93.124:7080


Epoch 1 - Spam C2s


104.236.185.25:8080
31.31.78.203:8080
45.55.82.2:8080

Epoch 1 - Stealer C2s


66.228.32.31:443
198.50.170.27:8080
216.98.148.157:8080

Current Epoch 1 RSA Public Key


MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOzoTryw1r9RxRJPFKalO4+q7JaDZWSB
KZlEc22H6ITuE06tvJspue42TF1yk8xN+1bqW++QeV6Clm1uRswA/qoao/6p4eN0
h4zIO8PEaJ0C/9EO4cx9yfRLlVpjdEkP0QIDAQAB


Epoch 2 C2s


103.97.95.218:143
104.131.11.150:8080
104.236.246.93:8080
117.197.124.36:443
136.243.177.26:8080
138.201.140.110:8080
142.44.162.209:8080
144.139.247.220:80
149.202.153.252:8080
159.65.25.128:8080
162.243.125.212:8080
169.239.182.217:8080
173.212.203.26:8080
175.100.138.82:22
177.246.193.139:20
178.254.6.27:7080
178.62.37.188:443
178.79.161.166:443
179.32.19.219:22
181.143.53.227:21
182.176.106.43:995
182.176.132.213:8090
182.76.6.2:8080
185.129.92.210:7080
185.94.252.13:443
186.4.172.5:443
186.4.172.5:8080
186.4.194.153:993
188.166.253.46:8080
189.209.217.49:80
190.145.67.134:8090
190.186.203.55:80
190.226.44.20:21
190.53.135.159:21
198.199.88.162:8080
201.212.57.109:80
201.250.11.236:50000
206.189.98.125:8080
211.63.71.72:8080
212.71.234.16:8080
217.160.182.191:8080
222.214.218.192:8080
31.12.67.62:7080
31.172.240.91:8080
37.157.194.134:443
37.208.39.59:7080
41.220.119.246:80
45.123.3.54:443
45.33.49.124:443
46.105.131.87:80
59.152.93.46:443
62.75.187.192:8080
64.13.225.150:8080
75.127.14.170:8080
78.188.105.159:21
78.24.219.147:8080
85.104.59.244:20
86.98.25.30:53
87.106.136.232:8080
87.106.139.101:8080
87.230.19.21:8080
88.156.97.210:80
91.205.215.66:8080
91.83.93.103:7080
91.92.191.134:8080
92.222.125.16:7080
92.222.216.44:8080
94.205.247.10:80
95.128.43.213:8080


Epoch 2 - Spam C2s


69.43.168.232:443
185.187.198.4:8080
46.228.205.245:4143

Epoch 2 - Stealer C2s


46.105.131.69:443
176.31.200.130:8080
104.131.58.132:8080

Current Epoch 2 RSA Public Key


MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhALk+KlHgOKXm9eDkWu2yN9lanjwOm6W2
PV0tgr4msNVby2pOJ6S1MZQnQwxl7y6WWzT4kveAQhLmW8JB2M2PDOxZOgVMJH2C
AtkVW1p/P9jNJWVvjK9SmrbLdIeiKNtRfQIDAQAB


Epoch 3 C2s


108.179.216.46:8080
138.197.140.163:8080
139.59.242.76:8080
149.202.153.251:8080
152.168.220.188:80
159.69.211.211:7080
178.249.187.150:7080
181.230.126.152:8090
190.10.194.42:8080
190.104.64.197:443
190.13.146.47:443
190.146.81.138:8090
190.171.105.158:7080
190.55.39.215:80
190.55.86.138:8443
190.92.103.7:80
192.163.221.191:8080
200.82.147.93:7080
201.113.23.175:443
203.150.19.63:443
216.154.222.52:7080
216.70.88.55:8080
45.33.1.161:8080
46.32.229.152:8080
70.45.30.28:80
78.109.34.178:443
83.110.75.153:8090
83.169.33.157:8080


Epoch 3 - Spam C2s


41.185.29.128:8080
94.177.253.126:80

Epoch 3 - Stealer C2s


178.32.255.133:443
198.46.150.196:7080

Current Epoch 3 RSA Public Key


MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAM426uN11n2LZDk/JiS93WIWG7fGCQmP
4h5yIJUxJwrjwtGVexCelD2WKrDw9sa/xKwmQKk3b2fUhwnHXjoSpR7pLaDo7pEc
iJB5y6hjbPyrSfL3Fxu74M2SAS0Arj3uAQIDAQAB


Credits and Notes Section


WARNING - Some links may have been taken down shortly after I reported them to URLHaus.abuse.ch 
because they rock and report everything to ISPs as it is confirmed to be malware. Additionally, 
this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
https://pastebin.com/u/jroosen
 
NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
I am providing them for your benefit in case you want to parse them to be sure.

What is Epoch 1, Epoch 2 and Epoch 3?


(09/17/19)
With the find of Epoch 3 today that split from Epoch 1, this section will be rewritten to reflect these changes in time.

Community Lists


https://pastebin.com/arKqrRyh - @executemalware
https://pastebin.com/326t7QiV - @Paladin3161
https://pastebin.com/3Lp9pfpb - @SecSome
https://pastebin.com/3FPvZ9f4 - @HerbieZimmerman
https://twitter.com/malware_traffic/status/1174423386245738496?s=20 - @malware_traffic

(sorry if we miss anybody, make sure to send it to @cryptolaemus1 in your tweet and we will try to include it!)

Credits

Combination work of the Cryptolaemus Team - https://paste.cryptolaemus.com/about/ and/or specifically the following:

Doc DL URLs - @devnullnoop, @p5yb34m, @malware_traffic, @dms1899, @Paladin3161

C2 info/RSA Keys - @devnullnoop, @MalwareTechBlog, @lazyactivist192, @VK_Intel, @Paladin3161

Payloads - @devnullnoop, @MalwareTechBlog, @lazyactivist192, @p5yb34m, @malware_traffic, @Paladin3161

Spam Templates - @devnullnoop

Special thanks to @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and 
helping out with this!

Very special thanks to @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project https://github.com/decalage2/ViperMonkey , 
@digitalocean, @mploessel, @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch, 
@urlscanio, @BlackLotusLabs, @TrendMicro and @Virustotal for providing services/software no charge to this cause!

Daily Log 09/18/19


@JRoosen here with a bunch of data that @ps66uk put together and I added to and built on. I am still having a lot of fires at 
dayjob unrelated to Emotet but doing my best with the rest of the team to get you the latest IOCs and details. 

General News


As many people reported, we have a new template which @ps66uk has dubbed "Protected View". 

We also saw a short run of my favorite Light Blue Offset junk template this morning on E1. 

Drops Report


We saw today Dreambot being dropped on E1 along side of Trickbot. Most of the drops from Emotet of late have been Trickbot
and the gtags MOR* on all botnets. Today we saw MOR3. There was also talk of GBA* gtag Trickbot being dropped but did not see any
personally.

Email Template Report

I am still not getting anything that is Emotet related but I am hearing more and more instances of reply chain based spam. It seems
like all of the exfiltration of email after C2 woke up is being used also. We have heard of and seen dates from late Aug to Early
September being used as the message being replied to.

All emails today seemed to be attachment only based and the attachments were docx with embedded JSEs or DOCx(docm) or even RTF yesterday
and today!

@ps66uk noted some of the new phrasing of the reply text in the reply change emails.
https://twitter.com/ps66uk/status/1174430064169115650?s=20

Here are his full notes on this:

Text added to reply-chain emails:
----
I am getting very frustrated that after multiple phone calls nobody seems to be able to resolve this issue. Further to our conversationI have forwarded the email. Kindly assist, please. Thanks :)
----
Please find attached your most recent documents.
----
Please open the attached document.
----
Please process attached doc. If you require anything further, please do not hesitate to contact our office.
----
Payroll reports are attached to this e-mail.
----
Please see/review attached.
----
Hello, please find attached remittance advice for our recent payment to you
----
I know we chatted recently about this – but I can’t recall if we discussed this moment.
----

Malspam was being sent out in DE, ES and FR quite heavily this morning in addition to the normal EN. One thing that seems 
clear after the break is that the emotet team is taking a more multilingual approach this time. Each day this week we have seen 
languages we normally do not see this often.

 
Waiting for more the next few days IF they come back.

Payloads Report


@lazyactivist192 saw a new larger loader (400KB+) today released on all 3 botnets. He saw very strong similarities between this
new loader and Trickbot's loader. I highly doubt this is a coincidence. It seems like the Emotet guys have been trying to find a 
better loader for some time. This was being released on C2 and distro at the same time.

We observed today that E3 seemed to only have 2 quintets of payloads. I am not sure if that was just Ivan running out of 
time or if this was something else going on. It seemed like there was more loader updates but a lack of distro happening for some
reason.

Seems like C2 loader updates and distro loader updates are starting to sync up again. I don't remember seeing them with the same
hashes for quite a long time. They had been following different hash busting patterns and also different loader types for a while
as noted by @lazyactivist192 before the break and up to the current time.

It seems like distro and C2 on E1 and E2 stopped hash busting or attempting to give new loaders after about 12:00 UTC. At first
E3 did the same but then did a limited run of the older loader hash busting until about 16:00UTC. Then we saw all 3 do a large 
Trickbot like loader around 20:00 UTC +/- 2 hours.
 

C2 Report

Combos(IP/port) on E1 and E2 are about double to 2.5x what we see on E3. I am not sure why this is or what the  purpose of E3 
is as of yet. So far no signs of E4 but would not be surprised if it appeared.

60 combos on E1
68 combos on E2
27 combos on E3

Closing


Some of the other guys will be handling these reports since I am headed on vacation soon for a few weeks on Friday. I almost want
to stay behind and work on this but not really :P The Cryptolaemus team will continue to do their best to give you the latest 
news and IoCs regarding Emotet and Ivan. It should be noted that these people in the team are all 100% volunteer and go out of
their way to provide this info beyond their dayjob. We appreciate all the thank you messages that we get and the stories we here of 
how this has helped you. It is an honor to be a part of this effort! 

TT

Sandbox 09/18/19


E1
https://capesandbox.com/submit/status/103/


E2
https://capesandbox.com/submit/status/106/


E3
https://capesandbox.com/submit/status/105/