Daily Emotet IoCs and Notes for 09/19/19

Emotet Malware Document links/IOCs for 09/19/19 as of 09/20/19 02:30 EDT

Notes and Credits at the bottom. Follow us on Twitter @cryptolaemus1 for more updates.


<none>
http://86passion.vn/wp-content/uploads/LLC/ztao4snc2zn3icihkub9cssxmmgg_s92vz8fi-83400702426/
http://aboyehia.com/cyj/662206737370605/jwt10s6ekq0tk0d9n7_fsyyu-9448666289950/
http://addmatrix.com/etss/sites/qtik6iij2yy05u946j570t2v6_uihewy-793529695955/
http://airnetinfotech.com/wp-content/ZPOpEjlGQiZZdWq/
http://albertmarashistudio.com/3l9t/9KUQTPLJ1XT/ctzm3vgh0hyn9fid9t4i_17jau5-78860309413207/
http://alertaempresarial.com.br/wp-content/INC/njbgFuxPaoCihCLZuwKHthzVEwidug/
http://ametiseclinic.com/wp-admin/esp/IVSLxUtAVwFJPabFSwGayMAtvWhj/
http://arkamp.ir/wp-content/DOC/xmq5hba3qm27ojgozpzh6ou_01atxnvo9y-51238777864/
http://attpoland.home.pl/pub/LLC/zcwhfjuTVA/
http://auraco.ca/enlightme.new/DHrXJZaEKCX/
http://ausfinex.com/wp-content/uploads/Document/tsGhqxxzvJcgcnsrBlbZkXxVNz/
http://aveslor.com/brajendra.in/Pages/XJLvqYSmKPY/
http://axelinco-fitclub.com/ibo/7383735070465/6vgwwiyvj1v36wwjxi_usdaxdu-9396013305/
http://aydin-transfer.biz.tr/wp-admin/css/Scan/wo8urpwi8ilbpu3huezp523x4ay_xb0bjymh-9572246251/
http://banglanews-24.com/wp-content/parts_service/vjeb6w3hw7g6xewibl73rab_3cw6j-72270923519546/
http://beinhaoranim.co.il/hun/LLC/TrkyOiFXSgZHvMhoSHoMIJ/
http://besttasimacilik.com.tr/wp-content/uploads/34866325758700/excmhprbcu/
http://binhduongleasing.com/wp-content/uploads/2019/09/t7tk73a7qu43t_c3zcm1-817781758831682/
http://blog.bertaluisadette.de/cgi-bin/berta/esp/lpypxz6j95kp1sc3a2tc9_gtgddf1elp-68160432412/
http://blog.digialpha.net/Newspaper/Document/tPSKGPUfE/
http://blog.openthefar.com/wp-admin/lm/x2tr199ftc_3ofxttr4-2148646155932/
http://carollevorci.com.br/wp-admin/f2nu2h9wl31mma18c4gx3lhnv71gs4_wdfap-964576437/
http://chuquanla.com/wp-admin/yj0m83mwqum88_bawcxx-778059512/
http://comicxy.club/wp-admin/esp/YkYcMaPIjSGXJSHnvJuaPPw/
http://dailynews36.com/wp-includes/EPDBEQZ9ZFH0/oafsx0q5ttpb7rrj5ixzm1xpp_5g0mr1-617374467188/
http://datasoft-sa.com/wp-content/kcdxzz1rd02o6sj6y_9xiho-41106884826/
http://deleogun.com/paclm/bziuafhvqldwwfaavqunupzofq/
http://democuk.tk/jackpanel/Scan/xFZeztmrOpccx/
http://dewibebaris.com/wp-includes/20896775313534041/6ah5jttgq71_resrzl-08883176/
http://dp4kb.magelangkota.go.id/wp-content/06p3718rkrxzs_g2kh6r8-21436938/
http://dunlopillo.com.vn/wp-content/plugins/advanced-custom-fields-pro/sites/pxf2qxgnujru6o3tf3jmw_93k2o7vf-155676582816/
http://fallanime.com/wp-admin/LLC/kqohUjPppye/
http://findingnewideas.org.uk/cgi-bin/Document/BaLhDOzDEE/
http://gamemechanics.com/images/VihXhoMTtvrmMAyAKVZWqNkLvingKt/
http://hawk-lines.com/backup/sites/szyesnwaux/
http://iewa.sk/wp-admin/parts_service/IlqQtXxoNtkdkiojakcdH/
http://imis.ma/wp-snapshots/parts_service/hsMxfzDRpsyUWwGIyOCU/
http://indoes.cloud/PCWkKia/sites/rkkWwzDfNXWPhDCUUYJbj/
http://intellmix.com/terml/zgzevexbn6xt9ovy5it_npxab-70479693822/
http://izeres.ml/css/sites/ptoytsw5ey6u8qz8k61h9c064a4s5_zlsr2d-424736105/
http://jeewantagroup.org/sakardeal/s354bas8_5s8uap8r-107052727/
http://jogoaberto.com/fotos/paclm/qsCeWqlnftKCVkzn/
http://jumpman.com.tw/cgi-bin/INC/bl9ggmp9_5yguluyr6a-1949529841857/
http://kendachile.com/wp-content/sites/vWTLYBuubjderLraWlRzGN/
http://kkindonesia.com/public/dist/sites/v3osxbxl0_ro2xh9s4cx-5038487472490/
http://melgil.com.br/a/INC/smzUdoySoWgyltQLZoYzuIkRDpGAis/
http://mfstol.ru/includes/esp/RlswyAwqyArltTxbrUuL/
http://mobiextend.com/new_website/scan/yfquir5sn1saa4_cbgkyi7q-659756898154868/
http://mssewatrust.com/onlinetest/admin/ckeditor/paclm/6yxe3s2dwhgvdj966xfjt2a9w_hfl078o-7601697983699/
http://muglalifeavm.com/wordpress/hnf9rm36jk3l3yqbh5kt4_0ax51-817128834/
http://myofficeplus.com/cgi-bin/paclm/e0z2hdewo_nd0jca-3190005629447/
http://nacindia.in/wp-content/lm/umdctpuxqnkpblcxcchuxqqiqttv/
http://nemaq.com.br/wp-includes/sites/xnk1hurk0qao4z3_jmq6svgq-017936329559701/
http://novaworld-novaland.vn/wp-admin/sites/jlrmc2o7md_xfsezbbh1-42773995339368/
http://orderchina.com.vn/wp-content/oukgfgemfkusbmsnstiuqajk23_qe24lw-292586956108/
http://osim-heshbon.co.il/wp-content/INC/jvomtsl6xgzmv3ujubnv6an_l5yypu-6443077366234/
http://ostriwin.com/structure_66/inc/btvz96m1ty5wlzjxa86ucvy99_fdzgywo9-7728438180/
http://pbcenter.home.pl/ML/lm/mdIRvmLUs/
http://projekthd.com/pub/Document/tvra18kib9ctbfq_34r3u76-7401196692872/
http://radiocolonialfm.com.pe/repro/esp/rImaMBibvFrVPRsuyob/
http://real-websolutions.nl/images/duEqOmSYcqBIWzgklfhFQsXqont/
http://rebel.ae/wp-content/uploads/sxqzxzxjlma/
http://robertwatton.co.uk/wp-content/LLC/LIdkOlDRFsgnkiiLDfH/
http://schaye.net/dzs6tqc3x9jg0ijc_twi3m1o-79432464/
http://shirtprinter.de/cgi-bin/esp/zrdCclxpEJLRBFYIfho/
http://slowlane.me/mjd37z39oeme7czhois9ggxyjifvc_1slhznvs-553375313/
http://sonnyelectric.com/ssfm/ty60l5pgisaa_vkgnzq-648414481325695/
http://sp2secenter.com/jangkurang.pajak/sites/vYFxZvuldxCyVpovARmxGWI/
http://spitbraaihire.co.za/Scan/DOC/sull3k2no2mgdewgvid63m8dxb2d_35jp7g-70388299/
http://stayfitphysio.ca/wp-content/FILE/cjcGNbjWiBAsCE/
http://strongvietnam.vn/wp-content/njiwbhjxzs4v4043ks_mtvm53a6s7-418887838/
http://studiospa.com.pl/images/DOC/SXiJSWbkZSQBEgIF/
http://sunnypalour.com/wp-admin/parts_service/kpu2zkks9qj0g2k52_47cq8zyvf-14443767084954/
http://sweetstudy.net/cgi-bin/xp6v4iubr56r2h_bqwkm4tr-606086536/
http://taskforce1.net/wp-admin/paclm/b33w806gu34ln6s_o75jzedoh-7204931873/
http://techrachoob.ir/wp-admin/Scan/AfJFbZjxkpIFh/
http://tiaragroup.es/wp-content/Pages/wwjwne3wvgfj7a4lzojcp_t3yaorwjgd-71381927/
http://todaynews9.in/wp-admin/esp/IBVTZNdAflPhaWrpWSinMhUK/
http://unitypestcontrolandservices.com/wp-admin/175m68h1y33pjjgz87_8wme2ufyby-569836327/
http://vantuwer.sakura.ne.jp/cgi-bin/lm/jOFICYiHnSDRQPxwluoooxFkS/
http://winebiddingthailand.com/img/QBQUlUaWQYJkwfLrUEvTgn/
http://woellhaf-it.de/administrator/1r5qcze348s9znsxa6_2plk6k7o6n-7462539924/
http://wwmariners.com/Inv-151353-PO-3K287616/a31ht5sjmfto0s_71mynzq-2772603334840/
http://www.alertaempresarial.com.br/wp-content/INC/njbgFuxPaoCihCLZuwKHthzVEwidug/
http://www.greenedus.com/wp-admin/INC/xt8k0pmlpur1m6et0k1rxu2uhpvq_kyod1h3ilt-856462386/
http://www.iloveat.fr/wp-admin/3415296335261/jVxNIOKriaB/
http://www.mobiextend.com/New_website/Scan/yfquir5sn1saa4_cbgkyi7q-659756898154868/
http://www.nacindia.in/wp-content/lm/umdctpuxqnkpblcxcchuxqqiqttv/
http://www.navenpsicologosgetafe.es/rky/Document/UYLLUuvgnqJoWnaaNFyOIgOowzfoF/
http://www.radiocolonialfm.com.pe/repro/esp/rImaMBibvFrVPRsuyob/
http://www.todaynews9.in/wp-admin/esp/IBVTZNdAflPhaWrpWSinMhUK/
http://xn-----ctdapuhpya2rh99jga82cjab.com/wp-admin/lm/LoVqGqwYbwcbryxrOHplfQBngBo/
https://%D0%B1%D0%B8%D0%BE%D1%8D%D0%BD%D0%B5%D1%80%D0%B3%D0%BE%D1%82%D0%B5%D1%80%D0%B0%D0%BF%D0%B8%D1%8F.%D1%80%D1%84/wp-content/0487311637/IlNhofgPohXe/
https://addmatrix.com/etss/sites/qtik6iij2yy05u946j570t2v6_uihewy-793529695955/
https://aisect.org/wp-content/PKclPmdnZOe/
https://albertmarashistudio.com/3l9t/9KUQTPLJ1XT/ctzm3vgh0hyn9fid9t4i_17jau5-78860309413207/
https://albintosworld.com/wp-content/parts_service/KXZpusOBBOyKSvlug/
https://aucklandcommunication.co.nz/wp-content/FILE/EtgfxhHjXXGXeLgXIeCTisGApVcbnD/
https://axelinco-fitclub.com/ibo/7383735070465/6vgwwiyvj1v36wwjxi_usdaxdu-9396013305/
https://aydin-transfer.biz.tr/wp-admin/css/Scan/wo8urpwi8ilbpu3huezp523x4ay_xb0bjymh-9572246251/
https://bikepointtenerife.com/wp-inclade/sites/608k6k4ecumuct85mgxbdvavkayr_8rcfty-4948052308914/
https://carollevorci.com.br/wp-admin/f2nu2h9wl31mma18c4gx3lhnv71gs4_wdfap-964576437/
https://dunlopillo.com.vn/wp-content/plugins/advanced-custom-fields-pro/sites/pxf2qxgnujru6o3tf3jmw_93k2o7vf-155676582816/
https://ethecal.com/wp-admin/sites/pyl6j5aah_eottjcf-539345791934398/
https://indoes.cloud/PCWkKia/sites/rkkWwzDfNXWPhDCUUYJbj/
https://kursusdigitalmarketingmalang.com/wp-admin/esp/UTrSPWYHBOHTcOQwIo/
https://leleca.pt/wp-admin/DOC/6nyx8xs4ft3z6d_9pei4buol-04541410/
https://mirkatrin.com/wp-includes/paclm/LrWdTyDZgRMoURrsyHfaMWyJONKPsN/
https://observatoriosna.archivogeneral.gov.co/test/gr01lndenpj0es9c65s_ebzo2byyr-280357774/
https://orderchina.com.vn/wp-content/oukgfgemfkusbmsnstiuqajk23_qe24lw-292586956108/
https://ortambu.net/wp-admin/Pages/BiWZLDNsknPMHNoJ/
https://pklgroup.pl/meta/uTMPayYYZdGnjoSOVDrSHtBdtKMEUi/
https://profexsystem.com/dist/3WIR6TGGZDN5VDE/FkCKYFtVMfhUpViQapyJifvkVBKCWR/
https://ruwaqjawi.com/wp-admin/DOC/gv27pstu14jtmltc_dd1st9deax-824436011624/
https://toner-skincare.com/test/esp/PTbKsAhTn/
https://vegasfotovideo.com/wp-content/Pages/1vwr09nqm_izr4gbua9w-04304852718413/
https://vip.muabannhanh.com/wp-admin/FILE/mkg7rmymjr_ibrls0nrj-411618777016/
https://www.aydin-transfer.biz.tr/wp-admin/css/Scan/wo8urpwi8ilbpu3huezp523x4ay_xb0bjymh-9572246251/
https://www.healthviewx.com/wp-content/cache/bTjmNjzOSiQCpDfRYnDaxkB/
https://www.kendachile.com/wp-content/sites/vWTLYBuubjderLraWlRzGN/
https://www.sahabatsablon.com/wellsfargo_secure/paclm/BPyNrngbuOLnIIlFuwjCYjdZZMaWiN/
https://xn--80abghbpe9aidnhd0a3ntb.xn--p1ai/wp-content/0487311637/IlNhofgPohXe/

<none>

Payloads per Epoch by Document


Epoch 1 Payloads by Document SHA256 - All Times UTC #### (Newest on top)

Creation Time   2019-09-19 19:09:00 (Attachment Only - Docx based with embedded JSE - Protected View)
SHA256:
68e0d53c0ee82ee303a3ce3ff57e06e72b9692cbadda3a2b157d1b23faad9b00
d3d2941bbb55f040b583134a9f5d891a5865f5b4d5b32971e64cf4a938b48fdd
8d3de338b1f13c55c73461a24fef506de8733e392cd145cc3a6a843bab28ee3d

https://gaosanxuexi.com/css/q3z3ljo394/
https://kaaryathalo.com/wp-content/231/
https://careervsjob.com/wp-content/0nzppxq49/
https://miraigroupsumatera.com/wp-includes/wkcw90205/
http://www.cbdnewsdirect.com/wordpress/5l1kpx45/

Creation Time   2019-09-19 13:32:00 (Attachment Only - Docx based with embedded JSE - Protected View)
SHA256:
8901ce62aab56d76ee2462d7863dd266ba9e7722ebe5e389b35172553f6e47eb
33f06ec9dc3190d6039f95f35898a67cb213d5ec39cca08da84d6e1f894733a0
a869f49da76f28d0756e458f0b119854382dcea8696383d7673b331d933499db
db025c64cadcb2152ad8bb50f955c04992678f80f8b7cbccfc5ac20c9c2863f8
b0c1bc3e01379d1bf107feda9824da33384b407a33e2294d51fa57eb600e857a
5895030433adc3e75dfe86c71d6b6dcee9fdadd04e9c5d0f4ca5c6a13e2f87f7
d841d446a4a932c3017249a79be58a400b6448bdeeeb027d2aaefdbcfb765e36
ca9dda8d1afc83bcdfceb0dddf68cf7845053f7f3e37a56d3b4a0f8a8101ad6f
0d95116e76091559c6ddc26bd4f52a23cccc293a6d2d9e631246298565225a42
6b5ccb865412fd856a8a6cf377db5de1aba3ff4acd473b702769ad86dbb91c38
03f9b6baf1c8a13c92ecf1bde3687fa999c8e80313cf19fca79fe35dfc3eaf15
7031fc5c71499fc72e22432faa3252cb4f7ab6d899b0fc5580f736feadb22d37
812a4270d9cf670e35348b389c228b655c1015f184468dca176547670167c6fa

http://www.mientayweb.com/wp-includes/2qpa3/
https://www.placidocn.com/wp-includes/mys22/
https://technowebs.xyz/cgi-bin/2l6433/
http://a2a2rotulacion.com/blogs/bwet5223/
http://www.lionesslocs.com/wp-content/upgrade/emks6321/

Creation Time   2019-09-19 07:35:00 (Attachment Only - Doc based - Protected View)
SHA256:
9d53955436aff93002d5589f249ccffb3bff5d7f6ccfefb0a45c18fcb48b4f0d
b025cc062ab87b0f372f6d737e6647e8fa79088f625f10964a5f57f0e5024a6a
b87b27c00b702b969d3b78a955d1d2ff91d781f4fcdf86471afef52be504aaa5
22d82717cbd07328087a413b0dc684f492de5819d9baab9471631e2cedbc6409
7c99999a8fe3644307d9b15e1b79a40fda9b40f53257e2538a4c19b89a50b19e
64881bb4a4da527a511bb156fc73d552f352e14fd0101c0c7062be54395791ea
568a31be688e564154dff090f657a0aeee471e3c8c8d701db299a7e40ce90801
0045a72beca64fddcd053068452b25e15d62dc824612eb02a4a6d97af6203bd6
2ab763c481e545f1bb3fd38ab90888b47f375a2c97fc6718372881c8ae76cc58
78a1dc924d2848b3206a76bb2df87cffcb7ad4f37f7004c7cdd675013e9253b1
db210e9756f2f2723fffecd8ce4bd83dfb17cb6a6675b86925de7de178fe9c38
a55fa7bb17fbe9264969836ebf6d2e9b1e4b6fe5d3fd60d660528110a31efd2b
063f6ce2a9b9f0f284381b0d8d8831848c174e9e72551d2e61d17ce174ed64fd
09db13be8f2c34e8193c5c14cf15b17a43fe278cdce556a8c562f5fe60bf1fe0
3750b21cf80c45821960924aa9452a7169ee06347c5c96d0762f08d797929f45
56cf659855f58ab02a78ca618fed56938bb06ab1db3113ddd9c62f14f697308f
88c6f70a0709fedeb3b9cde8eeb54ad46dfd169517de0126914f164fd40da4f6
e75900853a451dea3e8ed87876fb66ddc097270daf673df414dba4b5eb446864
827e4b1dfeeebb6b6d0e4db2c068151949bbbcc11184b8aab4574ba8cf621538
4fd9bd33a310b43fdc60757d235da9363a3c6ec175b15e7e58c8b0c08c9dded1
6fef8784c06172d05979f764c7f602b271f218ff3c1bf38391666d79b1aa832c
73e5afeedb99b26ac6b1d755b022cd85f8eee5f54afc30dc20e041da61bfe429
67d704de0ae5be722b98eb2bd1c0870e92d867cdf143a066966ebbb0accedf0c
b87b27c00b702b969d3b78a955d1d2ff91d781f4fcdf86471afef52be504aaa5

http://thefortunatenutrition.com/vuzp4o2vb/h3/
https://www.rangreality.com/images/v7rr7/
https://codenpic.com/wandervogel/70mja4/
http://pinmova.xyz/wp-content/widsraq4685/
https://ecampuskbds.com/vngp/v405/

SHA256s for Epoch 1 Payload EXEs seen on 09/19/19 #### (Newest on top)

e0d632fd48a2f68263d1ac980f749800c51db8d3ad4bab994cdf9843bf7ac7f7
4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735
8c5854b76eafadf5ae781c5f2cc6d14ac4289239ef5a97e72cf191a198b2a4f6
e101bd7848e99c95f3773c13e22a998022e003247dfb7fa0eb4d43191577be71

Epoch 2 Payloads by Document SHA256 - All Times UTC #### (Newest on top)

Creation Time   2019-09-19 19:08:00 (Attachment Only - Docx based with embedded JSE - Protected View)
SHA256:
c531d9327bbce71a1c2db1facd02de53c38c072153da9fd0e00187e63beede70
d8d4c023c67ab19ebb112abaa2662b1a7afb544e87ecb8f12350aea0e3acda3e

http://hexistrading.com/apud/jhu1_0zumpiow-850762747/
https://krusebilcenter.se/wp-content/ktn9f3fpk_9imlp3d-1179/
https://sprucatia.info/calendar/ovz6bj1q_99cdbe-091/
http://www.blix.it/wp-admin/pallsz07x_6mh0fn19w-870/
http://powaifinearts.org/photos/VyPpIVwx/

Creation Time   2019-09-19 13:32:00 (Attachment Only - Docx based with embedded JSE - Protected View)
SHA256:
a4fdddfbcf3fe88559c74187cefede0472227d4ad7dd8a247c4cf00df5666a1c
333f92dae8168d172e5f251a571ef50a9367afba8a2e7292ef41824823d034ff
ec4a2dbdcca3145ddb9e76aa7b30a52baac88b41ed9fd554caea4812be661ec2
ccd78028a2c1388fc0080952d8eee16d86b74162b4e56baa46bf71c3ba408192
3560e01c7bf08267f0f1e84af40f99b05f45309ed62dc38931dcad5b09477fe4
14f81c8aab28847d4cdc7da7e0203390971510a4a34c2f42bf88a8b52fada2be
819948342786161056d4820ed1121f748bbd089b5aa9671aa50bb1c7932d62a7
a6aa3e372736478a6addb7adafcc0bf4a0ec125959d5fdaf4f41a74ce1705072
a274879abdc825e65eccf67c811b7ae2844e2139c8a7843d278db3c41545c329
9f466e8b1702c05f8eede39dee4fa4fa5cbc18cccf4e7057866f47d2513268ee
3006ce69b65e99d5c124d70fa83f99efc8e011a0e4088d2738646b7baab1c8c7
2d217c213fbf53863fbdc4e5e9ade563c90c3fb47d4feabf23e4268102a863bf
ec5ac558e541518f0ab8caddae4219f106bb128ea3770bc7a19540e5cd2fe284
be9a51385358b53a8911396b6e2832a28d3816c73894915aec73c4970e1beebb
55c76447d05594b1dbb8fdfddffc601a2fa1128de5132a7bddb1ba4af15d56c6

https://alejandravalladares.com.ve/wp-content/HEimRAzle/
https://jmbase.my/tuzs/436jmhxnmv_uasm5z4bzc-5/
https://tanujatatkephotography.com/wp-content/uploads/2019/l32nsp_7q881c-748821/
http://www.wx-xcx.xyz/1678BAK/bjs2bl3l1z_kjq64d-5336/
http://colorking.es/wp-includes/k0eu3xcbti_envsp6m-3/

Creation Time   2019:09:19 08:31:00 (Attachment Only - Doc based - Protected View)
SHA256:
e1dc527ddd01751685ffd31b0ee88702bf085fe0e8239581a47a8ac5d33bd3e7
05340fc48c62bcc01ac5af76cf6318f8998d474a4fe7b084d89afc1e2c55ae9e
f7cf183fb50dd7e683937f2d19b7fc9bf421e0e994fbe22a996b8da2f0821535
7966a29a6ce29618612b8f0b33fdc1ff135591856d0d3e18b551beb7abab28b8
95418e88bc860ab85be2e8142c07f108030a01c684a6a4d10809d2d0aeb73de9
06c0ec716991d480b71433ccacea9eae43f03e334a7efdc709e68ebd8b19956f
695453b2296316f21414cee332ecd8bde12a451d7c93058989f268e997c66ea1
dc495e962b26b2a570b7079bfdec5a7f279b34e67b5b93e1db67c0febb18cd79
3ee6cf4d3719b5b15219e606cb5c2541c0596d2d385cd95aa871311b7089bb2d
6de6944b379ba7346d5a119aa7c25c46a439746822d01ca89c822c11206ce7c0
781115675dc2a8a55517dbc1259f8d2da0cf2f5c26337b546ca992c98a789684
dac8813f4a23bdafa4d5466f3756341d7e5da190d1c37b0a2191148c2c696a7a
9d5b7b91926883f68db46fc8b525e8ac6238edb841cc04d4c9a08e9bd6c6e509
aae4026b7af28b799a2ea4fd6db48c0aa2dec136e3b1f5a6103535d227968db4
0c5fc7cdd0bb3e771a04fbea044f30a10a4ba7faeccf968a90a0df59cc296bb3
4adef1a86dc5698daac2cc4fdfa055fe1f627baefa2da7cab9963cbc63cab0ad
3b27bede6a2a2bd9ec5ec6534300b8ceeadb8fc62de8bfbc8f389108f436723b
5f38957b2f6c25cb71a1d9ce78616cd7a2415e9563a870e208b384cbff49c93e
bfa6d60215ee3a2d405dac8113821270edb2c9f905606be6619212f2e3d6a9ba
203d6ad628c33aa18728ecfc19cbd2679b59095480c8a87af6a7f640da6ab15e
4c696a748f8cf0b944d8491fdea838b8a360caf80254529b3e5dc906a0b855a0

http://electroenchufe.com/wp-content/13c3yqv_eo4zsu9-416/
http://www.foxrpas.com/wp-admin/vhvkpXHSH/
http://www.syds588.cn/cgi-bin/FuevrLxGga/
https://thongtindonganh.vn/wp-content/l5wmd_j25t5jm5-9/
https://teccenter.xyz/cgi-bin/iSqyoMMzct/

Creation Time   2019:09:19 06:46    (Attachment Only - Doc based - Protected View)
SHA256:
ecfe1ab51996f3486389be916e1cd391ac4ee923d14235a18eab61eb7013b33a
b18854ada8859b1d237a0479a62f95180023f91a97868318f580bd2d85a15efe
f7adc55aefc419ecd17e66583ae04a075c290d5e1ea9de1e5915ecaa67759a5b
d551e8abe087de961c70694a751c39ebef48c4868d0435f266e2b81f418a0f62
777cebe53a886256738fcbf461e8a640086e10f808daa7cba78d134ee91f2882
0b78d373dfc45563910974a47cfc39cd41d3729b80483638e056e9d99fea71d4
d715f88baf8222c93edc9ea06ca8945339e82f46db22761132395b0961d23598
ca75a1255a75fc2e21d2987ece7e50124631a73cc3dde2268035eed96592e505
edb8127348f482a5e0c4bab5d6e9df90a15742fcdfe0d847238bc74f7373b952
831385b22855d1d331f37bb9d7edbfcd008cebdd1fb51b63b993103950141ff9
ba4e42326a7367bf670328ed636beb1ccf1cf508755975f11f941994a955405e
b6f9a2ce267311c1f197215fc9fcd791b0cd53d5d82a5f9ab4c167b427e3079b
89f149ec6faa15a3480cda2f411c04be8d83f087855367556ec3784bb6853c53
2092f91b04edf90d9b01d3c3418184d153dbfd4f5cb91f7a0682b18f6b28c542
7072c9e45facf56b99407af7b5bd125273dd64ad7315cd186e57afb1a70c2500
96f7949967d2f85d71c4a92890e76cc9d572ffc771cb2c5f25efc772145e4788
5b72bb9ae7ae0bf62605f41f083c2a0dc48b26d280678ae02540cdb5916a40d2
0db51b17f0d92714fdd4a4622d20b084519761a539b211417ce790a47e7d3549
60af3a70b94843c82bf30f09807e168c273bf16f283a5b62b66f004ded127342
f1640462674493674d17d96f0e320952124fbc9a3cb386dce5bba6af0a446cf2
b8dc5c75f7e6024ba3bae859a6063d123351fc81842f37841098f381347807c1
47c0adbb3e78aa5317ba38ca2dca6182c468cecd3bc868cfcdc24d3f5434d1ca
6901f010e00319c23fd57e7040f3a215cc0f7dbbd663062f25e40dd22e9f278f
685f523c5ca36a045d1167e57e8167bc928aec13ebf64da2eb5c391d2a770264
0c360c5f5494edc1b9f6c389607539103cf9a655732a53947fd6ee098ee93196
a9fb40b67f2b3a7a0a5836035fb263c377963e65d94184aa28fc618e273d0444
aa7017c795e8c35debb03dde452ea982fa384e95d57790b81cf51a574e0ca050
f91651dc9d9053455751469240d5cb25906f1083b9502caae24767d52bc425f2
847b79cf896ff185f358102c0c2e7205bf5fac73c33bbb4cd3ccabc7e683a68d
b8dc5c75f7e6024ba3bae859a6063d123351fc81842f37841098f381347807c1

https://aniventure.co.uk/wp-content/abyOrESD/
https://www.structures-made-easy.co.uk/wp-includes/CPmBTmtO/
https://offside2.000webhostapp.com/sekiller/xCVlPxHY/
https://pramodkumarsingh.000webhostapp.com/wp-admin/0pjq_uogqj57h1-5118704290/
http://healthknowledge.my/wp-includes/gi7jeaol4m_0cke1q0y-76/

SHA256s for Epoch 2 Payload EXEs seen on 09/19/19 #### (Newest on top)

ca61a64802de74746bd3466367c619ef7c8a61eb7973e7ac97b1e33ad7a3491e
a890002a45d749e12d0d2175a7d7b5f55c52119460368de08f95d150227a3fe3
88fae26e6848b7e8b10286e4981c3e0802e03e8745ced8014b91ab2c2d4d0ad4
3602af40c9dc9b2579ae693f3751b5b43c49be74f9a1c9e6b8efac1cb75f044d
cbdb56e796b3fefb8c911e4f9237047d2d805dceccbea3dbac1ff87328e5f425
f3b096b8d419172db132730f6251ab274d1ef6cced484b417002672de67cf36f

Epoch 3 Payloads by Document SHA256 - All Times UTC #### (Newest on top)

Creation Time   2019:09:19 07:11:00 (Attachment Only - Doc based - Protected View)
SHA256:
5336a48625e0adccae9ef4d2b6ae958624ab5cb7a372be46c1e891a192cbc33b
87228754b47b00816d76a8412eb889507bae9c0b36f0bce8190218f1b0cd4d95
25928254b1766639a4cec707e744f7299d50b671dfff945a394079c8cf15bee1
7ac04b629327675a2ce76a328fe7ef035ea26650323f67c88c71e977ac763772
7235161500dccb92638e9c653ac496dda0c7ee8021addc7c98502964fb87fbde
820c65c6ef01642ab6280b5cc80f98b24572841d5bcec34769037bde8b3d2cd0
cb79acb7cb026b14e67019d1eb30eaac5a776e36d05ee700dd9694cac4cdb846

https://www.unitedmedsshop.com/xxjyw/HnFZIKR/
http://cengizguler.com.tr/wp-content/RvpHbye/
https://ketorecipeslchf.site/test/r4iad-bm0i7f-770785/
https://bondbengals.info/wp-content/i6134-9f0-17470068/
https://bikelovers.blog.br/wp-includes/MgqEmbBB/

Creation Time   2019:09:18 19:03:00 (Attachment Only - Doc based - Protected View)
SHA256:
6be3fc54c94383dcb8192f7f3f2907ba49f914688197e3034cdb91947c273b8c
ee6815748895f0ede1ac8035c1d6515ce08eabe47d7f41bd9296b6caca19eb81
abd3065a01990d198097884b1f8e1f87b5ce9fd330ae1c3c5fe51fa0623d19dc

https://terragrain.eu/wp-content/gbnavk0-pl1-0670725293/ 
http://podologik.ca/wp-content/uploads/mzJmVGcQ/
https://sarkargar.com/blogs/fNjYoum/
https://analistarastirma.com/wp-admin/eOrWNizQ/
https://zhouliang.info/code/JwNnnn/

SHA256s for Epoch 3 Payload EXEs seen on 09/19/19 #### (Newest on top)

462db89d3cfa4ee8a11426800285106d25494553f2f163a245dae1b3844f1def
232f332fd1742d3e04936b59b64564d55850326a6bf827ee956c23b86b2ea183
06c8514f5077d75a19b3d79b3d16531faff38ec2e6dd7b25c8259cd4d78e91b9
2e64a7f948e80ca9ae5c5f5740b09168f1e404b77bc2d738cce0a60db98279a2

C2’s Per Epoch


Epoch 1 C2s

109.104.79.48:8080
109.169.86.13:8080
114.79.134.129:443
119.59.124.163:8080
119.92.51.40:8080
123.168.4.66:22
138.68.106.4:7080
149.62.173.247:8080
151.80.142.33:80
152.46.8.148:8080
159.203.204.126:8080
178.79.163.131:8080
179.62.18.56:443
181.188.149.134:80
181.36.42.205:443
181.81.143.108:80
183.82.97.25:80
183.87.87.73:80
185.86.148.222:8080
186.83.133.253:8080
187.149.84.80:8080
187.155.233.46:443
187.188.166.192:80
189.129.4.186:80
189.166.68.89:443
189.187.141.15:50000
190.1.37.125:443
190.104.253.234:990
190.117.206.153:443
190.19.42.131:80
190.200.64.180:7080
190.221.50.210:8080
190.230.60.129:80
190.230.60.129:80
190.38.14.52:80
200.21.90.6:8080
200.57.102.71:8443
200.58.171.51:80
201.163.74.202:443
201.184.65.229:80
203.25.159.3:8080
207.180.208.175:8080
211.229.116.97:80
217.113.27.158:443
217.199.175.216:8080
23.92.22.225:7080
46.163.144.228:80
46.21.105.59:8080
46.28.111.142:7080
46.29.183.211:8080
46.41.151.103:8080
5.196.35.138:7080
5.77.13.70:80
50.28.51.143:8080
51.15.8.192:8080
62.75.143.100:7080
62.75.150.240:7080
62.75.160.178:8080
71.244.60.230:7080
71.244.60.231:7080
77.245.101.134:8080
77.55.211.77:8080
79.127.57.42:80
79.143.182.254:8080
80.85.87.122:8080
81.169.140.14:443
86.42.166.147:80
87.106.77.40:7080
88.250.223.190:8080
89.188.124.145:443
91.205.215.57:7080
91.83.93.124:7080

Epoch 1 - Spam C2s

104.236.185.25:8080
31.31.78.203:8080
45.55.82.2:8080

Epoch 1 - Stealer C2s

66.228.32.31:443
198.50.170.27:8080
216.98.148.157:8080

Current Epoch 1 RSA Public Key

MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOzoTryw1r9RxRJPFKalO4+q7JaDZWSB
KZlEc22H6ITuE06tvJspue42TF1yk8xN+1bqW++QeV6Clm1uRswA/qoao/6p4eN0
h4zIO8PEaJ0C/9EO4cx9yfRLlVpjdEkP0QIDAQAB

Epoch 2 C2s

103.97.95.218:143
104.131.11.150:8080
104.236.246.93:8080
136.243.177.26:8080
138.201.140.110:8080
142.44.162.209:8080
144.139.247.220:80
149.202.153.252:8080
158.69.130.55:7080
159.65.25.128:8080
162.243.125.212:8080
169.239.182.217:8080
173.212.203.26:8080
175.100.138.82:22
177.246.193.139:20
178.254.6.27:7080
178.79.161.166:443
179.32.19.219:22
181.143.194.138:443
181.143.53.227:21
182.176.106.43:995
182.176.132.213:8090
182.76.6.2:8080
185.129.92.210:7080
185.94.252.13:443
186.4.172.5:443
186.4.172.5:8080
186.4.194.153:993
186.75.241.230:80
187.144.189.58:50000
187.147.50.167:8080
188.166.253.46:8080
189.129.231.76:20
189.209.217.49:80
190.106.97.230:443
190.145.67.134:8090
190.18.146.70:80
190.186.203.55:80
190.201.164.223:53
190.226.44.20:21
190.53.135.159:21
201.250.11.236:50000
206.189.98.125:8080
211.63.71.72:8080
212.71.234.16:8080
217.160.182.191:8080
222.214.218.192:8080
31.12.67.62:7080
31.172.240.91:8080
37.157.194.134:443
37.208.39.59:7080
41.220.119.246:80
45.123.3.54:443
45.33.49.124:443
46.105.131.87:80
47.41.213.2:22
59.152.93.46:443
62.75.187.192:8080
63.142.253.122:8080
75.127.14.170:8080
78.188.105.159:21
78.24.219.147:8080
80.11.163.139:21
85.104.59.244:20
86.98.25.30:53
87.106.136.232:8080
87.106.139.101:8080
87.230.19.21:8080
88.156.97.210:80
91.205.215.66:8080
91.92.191.134:8080
92.222.125.16:7080
92.222.216.44:8080
94.205.247.10:80
95.128.43.213:8080

Epoch 2 - Spam C2s

69.43.168.232:443
185.187.198.4:8080
46.228.205.245:4143

Epoch 2 - Stealer C2s

46.105.131.69:443
176.31.200.130:8080
104.131.58.132:8080

Current Epoch 2 RSA Public Key

MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhALk+KlHgOKXm9eDkWu2yN9lanjwOm6W2
PV0tgr4msNVby2pOJ6S1MZQnQwxl7y6WWzT4kveAQhLmW8JB2M2PDOxZOgVMJH2C
AtkVW1p/P9jNJWVvjK9SmrbLdIeiKNtRfQIDAQAB

Epoch 3 C2s

108.179.216.46:8080
138.197.140.163:8080
139.59.242.76:8080
149.202.153.251:8080
152.168.220.188:80
159.69.211.211:7080
178.249.187.150:7080
181.113.229.139:990
181.230.126.152:8090
189.189.214.1:21
189.245.216.217:143
190.10.194.42:8080
190.13.146.47:443
190.146.81.138:8090
190.171.105.158:7080
190.55.39.215:80
190.55.86.138:8443
190.79.251.99:21
190.92.103.7:80
200.82.147.93:7080
201.113.23.175:443
203.150.19.63:443
216.154.222.52:7080
216.70.88.55:8080
45.33.1.161:8080
46.32.229.152:8080
70.45.30.28:80
78.109.34.178:443
83.110.75.153:8090
83.169.33.157:8080
95.178.241.254:465

Epoch 3 - Spam C2s

41.185.29.128:8080
94.177.253.126:80

Epoch 3 - Stealer C2s

178.32.255.133:443
198.46.150.196:7080

Current Epoch 3 RSA Public Key

MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAM426uN11n2LZDk/JiS93WIWG7fGCQmP
4h5yIJUxJwrjwtGVexCelD2WKrDw9sa/xKwmQKk3b2fUhwnHXjoSpR7pLaDo7pEc
iJB5y6hjbPyrSfL3Fxu74M2SAS0Arj3uAQIDAQAB

Credits and Notes Section


WARNING - Some links may have been taken down shortly after I reported them to URLHaus.abuse.ch 
because they rock and report everything to ISPs as it is confirmed to be malware. Additionally, 
this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
https://pastebin.com/u/jroosen
 
NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
I am providing them for your benefit in case you want to parse them to be sure.

What is Epoch 1, Epoch 2 and Epoch 3?

(09/17/19)
With the find of Epoch 3 today that split from Epoch 1, this section will be rewritten to reflect these changes in time.

Community Lists

https://pastebin.com/TP5kUfvA - @pancak3lullz
https://pastebin.com/dS7L3YQq - @lazyactivist192
https://pastebin.com/884T2R75 - @Paladin3161
https://pastebin.com/iipRzFGe - @Paladin3161
https://pastebin.com/jYKazJFp - @SecSome
https://pastebin.com/weCqcV00 - @executemalware

(sorry if we miss anybody, make sure to send it to @cryptolaemus1 in your tweet and we will try to include it!)

Credits

Combination work of the Cryptolaemus Team - https://paste.cryptolaemus.com/about/ and/or specifically the following:
Doc DL URLs - @devnullnoop, @p5yb34m, @malware_traffic, @dms1899, @Paladin3161
C2 info/RSA Keys - @devnullnoop, @MalwareTechBlog, @lazyactivist192, @VK_Intel, @Paladin3161
Payloads - @devnullnoop, @MalwareTechBlog, @lazyactivist192, @p5yb34m, @malware_traffic, @Paladin3161, @executemalware
Spam Templates - @devnullnoop, @ps66uk
Special thanks to @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and 
helping out with this!
Very special thanks to @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project https://github.com/decalage2/ViperMonkey , 
@digitalocean, @mploessel, @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch, 
@urlscanio, @BlackLotusLabs, @TrendMicro and @Virustotal for providing services/software no charge to this cause!

Daily Log 09/19/19


@JRoosen here - today we saw continued use of the Trickbot-ish loader that seemed to have very poor detection ratios shown on VT.


General News


@Pollo290987 observed Emotet targeting customers of specific banks with attachments named in the following way:
https://twitter.com/pollo290987/status/1174685254508064768

Brad over at @malware_traffic saw more Trickbot deploy via Emotet:
https://twitter.com/malware_traffic/status/1174817168741019648?s=20

More researchers started to notice malspam from emotet come in:
https://twitter.com/pancak3lullz/status/1174709706012680192?s=20 - @pancak3lullz
https://twitter.com/pancak3lullz/status/1174709706012680192?s=20 - @notajungman

Jaeson Schultz noticed some of the spam templates not being populated correctly. This seems to happen often and
the fields are interesting. 
https://twitter.com/jaesonschultz/status/1174611771698450432 - @jaesonschultz


Lawrence Abrams over at @bleepingcomputer did a great article today you can see here:
https://www.bleepingcomputer.com/news/security/emotet-trojan-evolves-since-being-reawakend-here-is-what-we-know/
Some good tips in this article and he was kind enough to even talk to me about some of the latest happenings.

Drops Report


Today it seemed like Trickbot was the malware of choice on all botnets. I did not hear or see of anything else being mentioned.


Email Template Report


I did receive 1 generic message and 1 reply chain malspams today. The generic malspam was HTML based and was a purchase ruse:


From: compromised@domain.tld
To: victim@yourdomain.tld
Subject: Bill AC-153921309 is paid, your purchase order arranged for delivery

Good evening, dear Customer.

Thank you for quick payment for your online =
order #584293. Payment you sent in amount of 4149.25 Dollars was today =
confirmed by our operators. Full pack of items you=E2=80=99ve bought will =
be shipped as one medium parcel by USPS courier service in four working =
days. All required information is attached to this letter.

Best Regards,
MQ online store
----_NmP-eb491cefda8e7716-Part_2
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE html>
<html lang=3D"en">
<head>
<title>Bill AC-153921309 is paid,=
 your purchase order arranged for delivery</title>
<meta =
http-equiv=3D"Content-Type" content=3D"text/html; charset=3DUTF-8">
<meta http-equiv=3D"X-UA-Compatible" content=3D"IE=3Dedge">
<meta name=3D"viewport" content=3D"width=3Ddevice-width, initial-scale=3D1.=
0">
</head><body>Good evening, dear Customer.<br /><br />Thank you for =
quick payment for your online order #584293. Payment you sent in amount of =
4149.25 Dollars was today confirmed by our operators. Full pack of items =
you=E2=80=99ve bought will be shipped as one medium parcel by USPS courier =
service in four working days. All required information is attached to this =
letter.<br /><br />Best Regards,<br />MQ online store<br /><hr =
/></body></html>
----_NmP-eb491cefda8e7716-Part_2--

As mentioned in @Pollo290987's post, some of the attachment names were the following:

Today #emotet some attachments names : 
Archivo_2019-09-18 [0-9]{5}.doc
Documento_2019-09-18_[0-9]{5}.doc

Also impersonating some banks:  BankName [0-9]{15,}.doc

 Santander 302993057004875.doc
 BBVA 983689064546064.doc
 CaixaBank 1274061103904803.doc


Didn't get to this yet even though E2 was doing Links again today. Hopefully we can start to get some regex here for
links to help.

Payloads Report

 
Interestingly enough, the trend continues for C2 binary loader updates and distro binary loaders to be the same. It does 
not surprise me with some of the detection rates I was seeing on Virus Total for these Trickbot-ish loaders even after several hours. 
At first some of these loaders had maybe 4-5 engines detecting it and even now that number stands at 12-13/67 after some of
these files have been around for awhile. This is rather disappointing and hopefully the situation gets better. You will also
notice the loader will seem to be flagged as Trickbot more often now too. 

We saw a very low level hash busting with these new loaders and it seems almost as if there is none with payloads updating only
every ~6 hours on both C2 and Distro.

Also, E1 seems to be the botnet that is receiving the most attention of late and the quintets keep rolling out faster than
the other two. 
 

C2 Report

@lazyactivist192 once again was on top of things with all the C2 updates today:
https://pastebin.com/dS7L3YQq

C2 on E1 changed and increased from 60 combos to 72 in total.
C2 on E2 changed and increased from 68 combos to 75 in total.
C2 on E3 changed and increased from 27 combos to 31 in total.

Closing


It seems like the new Trickbot-ish loader is here to stay and C2 binary updates synced with distro. It looks like Ivan is 
happy with the poor detection on this new loader family and doesn't feel like hashbusting is worth it now. Also still do not
see an E4 botnet but I have to believe it will appear at some point unless the E3 botnet was just meant to target a specific 
geo or be for a specific customer/actor. It remains to be seen but it doesnt seem to do more than 2 quintets per day and this
interests me. This will be my final update for the week and I will be back in a few weeks on the 7th. Keep fighting the good fight 
and good luck out there!


Sandbox 09/19/19


E1
https://capesandbox.com/submit/status/155/
E2
https://capesandbox.com/submit/status/156/
E3
https://capesandbox.com/submit/status/153/