Daily Emotet IoCs and Notes for 09/20/19

Emotet Malware Document links/IOCs for 09/20/19 as of 09/21/19 00:00 BST

Notes and Credits at the bottom. Follow us on Twitter @cryptolaemus1 for more updates.

<none>
<none>
<none>

Payloads per Epoch by Document

Epoch 1 Payloads by Document SHA256 - All Times UTC #### (Newest on top)

Creation Time	2019:09:20 15:17:00 (Attachment Only - Docx based with embedded JSE - Protected View)
 
https://gestas.xyz/two/vj43/
https://unitedproductsllc.net/ywgo2kv/ngwu5420/
http://4kmj.com/wp-content/j63717/
http://forstriko.com/wp-includes/l0o4x3l4245/
http://www.davidleighlaw.com/wp-content/432i47389/
 

Creation Time	2019:09:20 14:06:00 (Attachment Only - Doc based - Protected View)
 
https://anabim.com/wp-admin/wjs2078/
https://hazoombienesraices.com/wp-admin/8554/
http://www.albajifood.com/wp-content/kn4qd6/
https://vemalandsafaris.com/wp-admin/861216/
https://www.samuraibangalore.com/bsnwmap/v87241/


Creation Time	2019:09:20 06:27:00 (Attachment Only - Doc based - Protected View)
 
https://www.chefeladlevi.com/wp-content/n2d3560/
https://www.atchec.com/wordpress/93v21/
https://aplsolutionsonline.com/twvs/300666/
https://tvjovem.net/wp-includes/8np4/
https://www.faraweel.com/wp-includes/5emw622/

SHA256s for Epoch 1 Payload EXEs seen on 09/20/19 #### (Newest on top)

6d7bde30d3fa54e0d14933961e0a8adedd34010200d8d081de23d8623dee3814
444d296659bea1ca6c115b455a27adae6537958f9f8e30e63d3b1a8a720c5cb7
27f8ed3716e5c94a436a242d29cdb3e2a80b1ac11cab7fde232020824ab660b7
e0d632fd48a2f68263d1ac980f749800c51db8d3ad4bab994cdf9843bf7ac7f7

Epoch 2 Payloads by Document SHA256 - All Times UTC #### (Newest on top)

Creation Time	2019:09:20 15:13:00	(Attachment Only - Docx based with embedded JSE - Protected View)
 
https://jasaweb.biz/66UfKbu/hpi39_oc6ru9p3ng-49266913/
https://stakim.org/1ynynia/xXncbtuBY/
https://centrolinguisticorobert.com/wp-includes/k2irrvttfm_0dfntv-7290290678/
http://www.fstart.nl/benthe/XGUFrcIi/
https://bzimmy.com/wp-admin/RuiiiuTru/


Creation Time	2019:09:20 13:58:00	(Attachment Only - Doc based - Protected View)

https://sculptureco.com.au/cgi-bin/yji14msbp_r4wi7je224-812866748/
http://bulbulstore.com/configweb/82oua00_nmnza-219207040/
https://robinpriest.co.uk/wp-content/et9jp_l2culxg-7525/
https://avaparse.ir/wp-content/CjtdBcstN/
https://newswave.online/wp-admin/e3zza0e_5i08kg1b-55/


Creation Time	2019:09:20 07:30:00	(Attachment Only - Doc based - Protected View)
 
https://sabiosdelamor.co/wp-content/VtyEqoElo/
https://www.euroausili.it/wp-content/iIFSXTWmN/
https://opel.km.ua/blogs/3uju_tiowf9i-149/
https://hablabestop.live/rqbe9p/pKkLiuqGj/
https://dogongulong.vn/wp-admin/vaIDeyDj/

SHA256s for Epoch 2 Payload EXEs seen on 09/20/19 #### (Newest on top)

ddcca0fdce20d14135024c54da834300fa667f39d0277107d9eab8f74b748218
6569f6b78eb98edb908602dedfe5aac3bd1c4d668b2deff4a202cd4c9b9fd1cb
8743fb2c992ee623779b119c5bb06f9a523e2f335b0e64b8e133c4867295ce3c
ca61a64802de74746bd3466367c619ef7c8a61eb7973e7ac97b1e33ad7a3491e

Epoch 3 Payloads by Document SHA256 - All Times UTC #### (Newest on top)


Creation Time	2019:09:20 **:**:00	(****)
SHA256:

<placeholder>


Creation Time	2019:09:20 15:17:00	(Attachment Only - Docx based with embedded JSE - Protected View)

https://fpsdz.net/wp-content/KwQOMh/
http://blog.lalalalala.club/bhx/y18ta-kk6t55-2894/
http://pamelambarnettcounseling.com/wp-content/nfOSEw/
http://www.kokuadiaper.com/ozcd/ld0-u7t3ym4j7h-903/
http://barcaacademyistanbul.com/wp-admin/MozLqtMPp/


Creation Time	2019:09:20 07:41:00	(Attachment Only - Doc based - Protected View)

https://www.modello.co.il/wp-admin/uz70aboo-hq1fe01m-894/
http://tariqul.info/wp-admin/60vxsn1-0h5k1-4929/
https://www.goadvert.pk/wp-includes/FYwdBbTzY/
https://www.projectolynx.com/wp-content/LkzjfWzYa/
http://billabeda.ga/wp-admin/9fxcs-j89d8yyz-445687465/

SHA256s for Epoch 3 Payload EXEs seen on 09/20/19 #### (Newest on top)

ac5564766899e60fe1b9168fde2479c495d08ee002772d1674ffd90dbd4360f0
c552f42f23ad45f3125b7fa2738382d67a51d5d830a6717bfc5cb029828579ae
d8ba29ed14a004c27fea519480bec7126a3c6c69d7b986c82b6fe2c436113930
462db89d3cfa4ee8a11426800285106d25494553f2f163a245dae1b3844f1def

Consolidated SHA256s for DOC seen on 09/20/19 #### (Newest on top)

9b79f5dc911d83de77f0393ad87c11cc96aa9a5841208eea11c9db27289721a2
95619b456c0024a09afbb8b3fd33c29490cf6fe0d530347dfc69e223606770ef
29bf657d4531a363089119b5c2b22a4d2cb891c887dc434ef3eae8c3286bbfa9
f8aeb340361f2cabc70b8178d1f5097031b1d2adf1fd2eb6a0e675955135b37a
1a2167b4f13bccea912ffe56a32edee1471f842c59a37c6cbf777782679ca67d
bb7ed3e7ebe80d054de4b9212344d361adaa7f833d56b9d23092e830e65a95c2
95205e8f1d4a79e596b2f358d0c1cb5b09759bc2d5f9e198963f0d372d0a6e39
132774f312ba6b3d72e6e6c1e7c55d05a3bbae768e49503c3ac01b62a2ce0ce0
a9e15191905b4884d68dc47b2e8421626dc4858792a5bc3d915d74b4a22a291d
c4c30f8d7bebea8b0b1c4610b58a662ea7eb10db1401671e778342a33ca05f68
a35b700fc21adcbde82f1883584cb0353a2f1ce0839fea801f00d86e9866a4e5
75b2d199d2d401eb84014529df8d5fc3a2495205a2f37fadbc5e98f8eb0f9ced
289cd7ad29cd85c4b5e833317ec9733bd5808746c3da4db19e25f990bca3d313
56046575b76959d782ce84c5a791c1cc33810c71362ffac3a1b4a139b5e10ccf
99afc187fdcb47fe51db2a28cdc8445f230f4acb3e788d728f36787c91749e43
d46566bf0c2a49d8e684472fedc95cd1d1aacdbc7604de26075dc2cbe5ddc943
01425a1523d21254c4c096248e05bd43614d23ee428f892d7410f02d89a6e198
93142829a7d31e49ddd4d8e19eff6d4bb521ddc3e640807e2a15007b74aefd04
e2c45812cae1f557336710789d0321822284f83affbac87a2a9fa9e1d19c250c
eee144531839763b15051badbbda9daae38f60c02abaa7794a046f96a68cd10b
3d04a3abbf642e887c5729699a294bc6c721c35299aa9134c2ed17fd7de09568
193f3def751c2055cf90933e5a0d20e8d5e371308d17d92ada0651fb1e7a532d
9ec07247f5430df6b727571f01d6fc6cbebbd4001f36e52c75ed27c932ce2683
44193897b15e5b25abd4fdaec44923b9b44eef2d49b330934bc47f91d6a82107
ae8ef2e04544308789fc5c340f3579cecf37a0b8a7e2caee658ee2814c99456b
b15eff02006f90ebfee65a3c9a9a0a2333082654eb531445f0ed8426ed6b7488
11b61c54125acac6fe2edfda8ed89546c787747e7f475cb895006ef17a638cf7
dd2651581465fe2de6a7c5b1c3006aee01994b412e86a87fd24627aaa94c71c4
ec4a2dbdcca3145ddb9e76aa7b30a52baac88b41ed9fd554caea4812be661ec2
32bb93f7a05b17a5108e23f9b5222e3cea902a2bb416bba43dc4c8017710f21e
4c3bc1022c32d2f9f2d484ae55a7e21561f5d9630c135b7c0abe42cc55536926
91e52a51ba45a2ff019effc23e9528d274ca2e7cc5fa9f6fa29dc383539507a1
e010a015be2577f975024a933805fe522762598fa578554ce0e08bd6936a356c
490b143661843599c79b336e207bb7d45ad55cca50e5febac99b52c877839437
705cb2b6dede75c722a0b001ed9797b729465f113286b495a4e8e78998ac557a
beb82d8b2429911fffe39457bd4bb8bbe033ca34826df10b291fa74b33c7275a
bfb64df62d034549ccfd3f5fb0d64b5f740f27534bc56b900606bdceeca15b8e
7bca10105c80faef82947d52c238e8912ef78cbc587da38a44a7592df43632f2
82acbfe0ea3f3afd8866820365de60ee71be6a200c8ba429867e60c9c5a990b3
37df46eab911c0a30447e103e1eefaf5d9eb2b236140d6385c26f98f4069d14b
7612f8c2f18736f65b9643bee0240d93615268333bbc22ed91c4c17bbc958eb8
8901ce62aab56d76ee2462d7863dd266ba9e7722ebe5e389b35172553f6e47eb
58d52429c48d8e554993d9b0d3ada8b02e81cb27039d7d1bd6aef7c3862c4da8
e75900853a451dea3e8ed87876fb66ddc097270daf673df414dba4b5eb446864
6e8653d2d7b310c48cbe8d3d644665fa29288953af09c3e46f8da14b7651fbc8
ece4c9613d189abe99d82ebbcbe8b952b2417b6ef0bd166c0724a4acaae4988f
967daf1fce6f431d6db4adc09b1aedc808f1d47fdeb4e1df762741ff1208cbc6
1ad0d5497cfcd38b095c81ad2005960ed960b05d09940aaf66e82d1aa43dbacf
d7eaf868682ba38d728200cbd4fe703895d3737a0f35308160657710b5a1bc13
c927c8917947dae8fad755f409204b0ce87d49d00073095309d0cbe4394e54f5
1db23b8895829d4ada24052c2c5ad31c3960fb3188178bb5fe8a5e92ec575d30
d39ae480b1bddfb60fb51362466b046cddc3d16326ef9fe348582a42776cd60d
9aaee42ea31d329df5f503d757abe799117152baa7c0f9845f1f46303bfcdfe6
d93e29c81e77b6504e26bf0486febdb2b4065365d67e9b8b0ccf1f55031c42f2
e27aaff9db1ca46c4bac0b42df43158aaeb37d5d65afeda0614853e8ef09cdcc
a049a961a6c10c8b5e3d5f80351eb9abeac695cfe8fc7ed3c328200b2eeb3c04
3ec56fa551aaea907758cfae7b9f25eff897f913c72ca3cbfc11a3ebbafd7f88
a8429cf56867906723771548ebda35491ff435a885cf041884c258f5c1b47a53
57c0eda2f7c5f1d8993fa72340f70c8052b9cbb26c43ffafe0039dfc58e5de2c
b8dc5c75f7e6024ba3bae859a6063d123351fc81842f37841098f381347807c1
676f7e8759bb5430df37b406f436a99b64548f8b8914a5c19a32c3100bec7742
8017191ab945799ae7e9d11ee4ac47f542c0730f3552a22a708657241a12f2d8
b025cc062ab87b0f372f6d737e6647e8fa79088f625f10964a5f57f0e5024a6a
4694ebd94ab635448992165e9bd294f740bdccbefd87d7a397b01d5bd7d81288
723665559d82ad10ff008347bba19514ae4dbc74081d0ea4f4e6d2bc6829b9b2
ca9765681b2282575aaa2119c024e2b44817a56fc0a0b1dfb85fcaac8d91cee8
52b5603140e0a57c57310302af626893e250179acc405a567c5c8fa671a7f7f4
fd6deb69446753edf3dbdc5e9a596ef482b804be7b56465a012d583857906a30
669ba6231a3c2eae46a73f3d03299d1e28f2f02fb3aa3ab5e0ac69323c5ab6fc
26a7e5352e045dc70830ec9e1b378d01148c5bfc527501ad3681bb6a41fb63b0
be0d8aeb179d05ab2cfb8c474502fa6e6681f1fc52b9a659730fa520a2cfbb72
1658e9aae37d2da05658b4884820adf2ce3ece0a3de9a62dbed0d5803d7e0614
1a4fae4fea8336137a07b622809edd921fd7ff03415cf6e92d6a1a28f5e23996
4acd615729d0e287fec7cbe5c2691eece320eb07ee7ea45372d86158bca53082
11e90eb3472d3686ec263ac60477d2bee9d4d316ce135f176e979785dece0561
016e15f8ac5e09f00a0d9eb6df041fe443bf438a4fcdb40056ea4fa043a8ad85
3ee6cf4d3719b5b15219e606cb5c2541c0596d2d385cd95aa871311b7089bb2d
a59ae2e83eb3d2e5a5a30095bf2161b1a14186b4cbe2b6458f4158f41b685e15
73e5afeedb99b26ac6b1d755b022cd85f8eee5f54afc30dc20e041da61bfe429
f4153a5ef34e40e0323a28c20245ae90d76b9495e815b7eae8ab040dca1e6baf
b87b27c00b702b969d3b78a955d1d2ff91d781f4fcdf86471afef52be504aaa5
923e536e56b6097b353265504fa16523c4c20e981f99d309d8357958080f4938
4fc91dccc92a16a3756a3d6b5955462533611d03765a36e0555faa7ee8c595d3
db210e9756f2f2723fffecd8ce4bd83dfb17cb6a6675b86925de7de178fe9c38

C2’s Per Epoch

Epoch 1 C2s

109.104.79.48:8080
109.169.86.13:8080
114.79.134.129:443
119.59.124.163:8080
119.92.51.40:8080
123.168.4.66:22
138.68.106.4:7080
149.62.173.247:8080
151.80.142.33:80
159.203.204.126:8080
178.249.187.151:8080
178.79.163.131:8080
179.62.18.56:443
181.188.149.134:80
181.36.42.205:443
181.81.143.108:80
183.82.97.25:80
183.87.87.73:80
185.86.148.222:8080
186.83.133.253:8080
187.155.233.46:443
187.188.166.192:80
189.129.4.186:80
189.166.68.89:443
189.187.141.15:50000
190.1.37.125:443
190.104.253.234:990
190.117.206.153:443
190.19.42.131:80
190.200.64.180:7080
190.221.50.210:8080
190.230.60.129:80
190.230.60.129:80
190.38.14.52:80
200.21.90.6:8080
200.57.102.71:8443
200.58.171.51:80
201.163.74.202:443
201.184.65.229:80
203.25.159.3:8080
211.229.116.97:80
212.71.237.140:8080
217.113.27.158:443
217.199.160.224:8080
217.199.175.216:8080
23.92.22.225:7080
46.163.144.228:80
46.21.105.59:8080
46.28.111.142:7080
46.29.183.211:8080
46.41.151.103:8080
5.196.35.138:7080
5.77.13.70:80
50.28.51.143:8080
51.15.8.192:8080
62.75.143.100:7080
62.75.150.240:7080
62.75.160.178:8080
71.244.60.230:7080
71.244.60.231:7080
77.245.101.134:8080
77.55.211.77:8080
79.127.57.42:80
79.143.182.254:8080
80.85.87.122:8080
81.169.140.14:443
86.42.166.147:80
87.106.77.40:7080
88.250.223.190:8080
89.188.124.145:443
91.205.215.57:7080
91.83.93.124:7080

Epoch 1 - Spam C2s

104.236.185.25:8080
31.31.78.203:8080
45.55.82.2:8080

Epoch 1 - Stealer C2s

66.228.32.31:443
198.50.170.27:8080
216.98.148.157:8080

Current Epoch 1 RSA Public Key


MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOzoTryw1r9RxRJPFKalO4+q7JaDZWSB
KZlEc22H6ITuE06tvJspue42TF1yk8xN+1bqW++QeV6Clm1uRswA/qoao/6p4eN0
h4zIO8PEaJ0C/9EO4cx9yfRLlVpjdEkP0QIDAQAB

Epoch 2 C2s

149.167.86.174:990
181.164.8.25:80
181.143.194.138:443
192.241.250.202:8080
63.142.253.122:8080
178.254.6.27:7080
92.222.125.16:7080
142.44.162.209:8080
86.98.25.30:53
31.172.240.91:8080
149.202.153.252:8080
201.250.11.236:50000
189.129.231.76:20
182.76.6.2:8080
189.209.217.49:80
87.106.136.232:8080
91.205.215.66:8080
212.71.234.16:8080
178.79.161.166:443
162.243.125.212:8080
173.212.203.26:8080
85.104.59.244:20
186.4.172.5:8080
169.239.182.217:8080
37.157.194.134:443
190.18.146.70:80
87.230.19.21:8080
186.4.172.5:443
103.97.95.218:143
206.189.98.125:8080
181.143.53.227:21
185.94.252.13:443
190.145.67.134:8090
136.243.177.26:8080
94.205.247.10:80
95.128.43.213:8080
159.65.25.128:8080
222.214.218.192:8080
104.236.246.93:8080
217.160.182.191:8080
59.152.93.46:443
138.201.140.110:8080
45.33.49.124:443
78.188.105.159:21
92.222.216.44:8080
185.129.92.210:7080
47.41.213.2:22
144.139.247.220:80
46.105.131.87:80
62.75.187.192:8080
88.156.97.210:80
177.246.193.139:20
188.166.253.46:8080
80.11.163.139:21
41.220.119.246:80
31.12.67.62:7080
45.123.3.54:443
179.32.19.219:22
190.226.44.20:21
87.106.139.101:8080
182.176.132.213:8090
190.201.164.223:53
190.53.135.159:21
78.24.219.147:8080
5.196.74.210:8080
37.208.39.59:7080
187.144.189.58:50000
190.106.97.230:443
186.75.241.230:80
182.176.106.43:995
175.100.138.82:22
190.186.203.55:80
91.92.191.134:8080
211.63.71.72:8080
104.131.11.150:8080
186.4.194.153:993

Epoch 2 - Spam C2s

69.43.168.232:443
185.187.198.4:8080
46.228.205.245:4143

Epoch 2 - Stealer C2s

46.105.131.69:443
176.31.200.130:8080
104.131.58.132:8080

Current Epoch 2 RSA Public Key


MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhALk+KlHgOKXm9eDkWu2yN9lanjwOm6W2
PV0tgr4msNVby2pOJ6S1MZQnQwxl7y6WWzT4kveAQhLmW8JB2M2PDOxZOgVMJH2C
AtkVW1p/P9jNJWVvjK9SmrbLdIeiKNtRfQIDAQAB

Epoch 3 C2s

190.79.251.99:21
189.245.216.217:143
189.189.214.1:21
62.75.171.248:7080
133.130.73.156:8080
203.150.19.63:443
216.154.222.52:7080
149.202.153.251:8080
5.189.148.98:8080
83.110.75.153:8090
95.178.241.254:465
190.55.39.215:80
70.45.30.28:80
181.230.126.152:8090
83.169.33.157:8080
190.55.86.138:8443
201.113.23.175:443
113.52.135.33:7080
139.59.242.76:8080
190.171.105.158:7080
176.58.93.123:80
190.13.146.47:443
143.95.101.72:8080
138.197.140.163:8080
190.10.194.42:8080
190.92.103.7:80
78.109.34.178:443
45.33.1.161:8080
108.179.216.46:8080
152.168.220.188:80
159.69.211.211:7080
94.177.253.126:80
93.78.205.196:443
190.146.81.138:8090
46.32.229.152:8080
181.113.229.139:990
178.249.187.150:7080
216.70.88.55:8080
200.82.147.93:7080

Epoch 3 - Spam C2s

41.185.29.128:8080
94.177.253.126:80

Epoch 3 - Stealer C2s

178.32.255.133:443
198.46.150.196:7080

Current Epoch 3 RSA Public Key


MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAM426uN11n2LZDk/JiS93WIWG7fGCQmP
4h5yIJUxJwrjwtGVexCelD2WKrDw9sa/xKwmQKk3b2fUhwnHXjoSpR7pLaDo7pEc
iJB5y6hjbPyrSfL3Fxu74M2SAS0Arj3uAQIDAQAB

Credits and Notes Section


WARNING - Some links may have been taken down shortly after I reported them to URLHaus.abuse.ch 
because they rock and report everything to ISPs as it is confirmed to be malware. Additionally, 
this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
https://pastebin.com/u/jroosen
 
NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
I am providing them for your benefit in case you want to parse them to be sure.

What is Epoch 1, Epoch 2 and Epoch 3?


(09/17/19)
With the find of Epoch 3 today that split from Epoch 1, this section will be rewritten to reflect these changes in time.

Community Lists


https://twitter.com/SecSome/status/1175143849582354432?s=20
https://twitter.com/reecdeep/status/1175062938610257920?s=20
https://twitter.com/d4rksystem/status/1175032203627155456?s=20
https://twitter.com/executemalware/status/1175182698966585345?s=20


(sorry if we miss anybody, make sure to send it to @cryptolaemus1 in your tweet and we will try to include it!)

Credits

Combination work of the Cryptolaemus Team - https://paste.cryptolaemus.com/about/ and/or specifically the following:

Doc DL URLs - @devnullnoop, @p5yb34m, @malware_traffic, @dms1899, @Paladin3161

C2 info/RSA Keys - @devnullnoop, @MalwareTechBlog, @lazyactivist192, @VK_Intel, @Paladin3161

Payloads - @devnullnoop, @MalwareTechBlog, @lazyactivist192, @p5yb34m, @malware_traffic, @Paladin3161, @ps66uk

Spam Templates - @devnullnoop

Special thanks to @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and 
helping out with this!

Very special thanks to @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project https://github.com/decalage2/ViperMonkey , 
@digitalocean, @mploessel, @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch, 
@urlscanio, @BlackLotusLabs, @TrendMicro and @Virustotal for providing services/software no charge to this cause!

Daily Log 09/20/19

VBA Macros have been checking how many entries are in Recent Documents list - they won't trigger URL download unless there are more then 3 entries
https://twitter.com/BompaniMarco/status/1174981518957015040?s=20

AnyRun has addressed this now, but for today it has been necessary to aggregate all the DOC hashes into a single list above

E3 also seems to be sending emails overnight now (00:00-05:00 UTC) - possibly hoping to avoid some security, or maybe targeting another geo.


General News

A good review of emotet js by @ledtech3
https://twitter.com/Ledtech3/status/1174962183198756864?s=20

and a nice look at VBA macro from @sec_soup
https://twitter.com/sec_soup/status/1175264031852105728

Drops Report

<>

Email Template Report

All templates today were 'Protected View' type

Waiting for more the next few days IF they come back. 

Payloads Report

Very few updates on each epoch today, only 4 on each

 

C2 Report


72 combos on E1
76 combos on E2
39 combos on E3

Closing



TT

Sandbox 09/20/19


E1
https://capesandbox.com/submit/status/182/


E2
https://capesandbox.com/submit/status/183/


E3
https://capesandbox.com/submit/status/185/