Emotet Malware Document links/IOCs for 09/23/19 as of 09/24/19 00:00 BST
Notes and Credits at the bottom. Follow us on Twitter @cryptolaemus1 for more updates.
Document Downloader Links
Epoch 1 Document/Downloader links seen for 09/23/19
<none>
Epoch 2 Document/Downloader links seen for 09/23/19
http://ahenkhaircenter.com/blogs/lm/bzad0ivyazuv7sl3l9ewek4m2_rnmeias9fn-97136005382469/
http://aleksandarnikov.com/blogs/lm/q9e0sxelwpmpmi_8zz6ndkry-860510954408/
http://anjosapp.com.br/wp-includes/NhorkpikutPJNbkNBdTNaI/
http://cartawesome.com/385ih/74oz712rtsl6p5t4ttqnedn7jz0x_gef5dc-599133617567342/
http://casadealdeaaraceli.com/test/Scan/xoPkQSPbGFPJaXweelhBRxbPG/
http://consultrust.in/wp-content/parts_service/6oqa28jeqdabtzznji4i8k_50sduf-72515726/
http://k2-hygiene.de/cgi-bin/Scan/eZxMeOQwGYkPwbEkfhXFvKCOajI/
http://laneezericeira.com/fvweifb2/0kulrptr6rln_eulp4-62014967452890/
http://minimidt.cm/wp-admin/3530205148/nk9et6ehzi5x1vy6jmkjsabl0t_43mgcy1-8257917054260/
http://pro-cyber.fr/layouts/Scan/ACAjeqGxQhLY/
http://reha-active.pl/wp-admin/Scan/LUUUiRTcQkumgefqXXqasngth/
http://reviewed.design/rehub/parts_service/acfyATNOXzjvhcKvYomeHgVmIJDYuq/
http://sarkariresultinfo.co.in/wp-content/dTLBBKLDcNPw/
http://shuimulinsen.vip/62gng/sites/xKqCLmqUTUYHCSeTZEe/
http://spdfreights.in/wp-content/Pages/GkgpQjXBBhFLw/
http://strategicsocialpartners.com/wp-content/parts_service/lLbwCpWyhInZOVukBfTYmLyHUxG/
http://structuralworkshop.com/wp-content/9397210738/jmCLqdiQCuFulDISJy/
http://techysites.xyz/wp-content/99855989738244714/vOezetSBfaCysEWjWVtwrCrghQCX/
http://tike.co.uk/cgi-bin/thCGLsksxUHThTOdvrsmiYJqW/
http://tuttotenda.it/wp-content/Pages/HjOmRWVwVBbCuUEzXgo/
http://update.com.br/wp-includes/DOC/vjKASPpYIffHDZrglcf/
http://www.cmalamiere.com/softaculous/pnVqSlIBvtOcGBDjEjERlnvbBHbk/
http://www.pro-cyber.fr/layouts/Scan/ACAjeqGxQhLY/
http://www.shuimulinsen.vip/62gng/sites/xKqCLmqUTUYHCSeTZEe/
http://xclassicpictures.com/wp-includes/51112424726944561/txrfhwrxmvb_f7kl6tp-140772247094287/
https://austinlily.com/exceptionalnews.com/Scan/bdfi98fhp717rpkbav9kaobugz2j7n_d8b2t-380504710774793/
https://casadealdeaaraceli.com/test/Scan/xoPkQSPbGFPJaXweelhBRxbPG/
https://chaka2chakaadventures.com/hun/7062206561531444/r68bugbumd02xor_wwvirw56w-44612268666489/
https://chungcuroman-plaza.com/wp-includes/Pages/yjpIdrLWVRQRwokObjGQEePCdhk/
https://collectables.nojosh.com.au/1u8b/sites/84vrtfmcbr0wtpmyadcf04u1_3o6rypo-32807678062/
https://laneezericeira.com/fvweifb2/0kulrptr6rln_eulp4-62014967452890/
https://minimidt.cm/wp-admin/3530205148/nk9et6ehzi5x1vy6jmkjsabl0t_43mgcy1-8257917054260/
https://noorstudio.pk/cgi-bin/lm/p5szigx5lqscish0vf39naaok47_a1q6e8bb-8008161365/
https://pcpin.site/gtcu8j/paclm/uj3u5l645gncp1_w27yxt-297010970015/
https://sarkariresultinfo.co.in/wp-content/dTLBBKLDcNPw/
https://snapvinebdtelenet.com/yc7y3duy/JkMQoyktnmCoXe/
https://strategicsocialpartners.com/wp-content/parts_service/lLbwCpWyhInZOVukBfTYmLyHUxG/
https://structuralworkshop.com/wp-content/9397210738/jmCLqdiQCuFulDISJy/
https://tike.co.uk/cgi-bin/thCGLsksxUHThTOdvrsmiYJqW/
https://trapscars.com/lodlmap/parts_service/PpNaksUiJ/
https://tuttotenda.it/wp-content/Pages/HjOmRWVwVBbCuUEzXgo/
https://unitedformats.nl/wp-admin/DOC/tfxg5yemtt_4sry6s02s-512125025508/
https://vmindpower.com/qzZo6W/DOC/liNwTxvOYQMWd/
https://wapvideos.me/cgi-bin/P69CHM9E0ZC/tEOmjsHUorPFXUTtrWWkaVoTbBe/
https://www.criativosassessoria.com.br/cgi-bin/Document/ha8zsj8yp01fc9mgx_jd8ejmmjp-007445808576919/
https://www.thepretshop.com/rbjsd/sites/gYbuKhiuVNtmzSOpgNRkj/
https://www.toplogiform.com/wp-admin/css/Scan/UUUweKkHTzdykezxfJhsJJGjqgFE/
Epoch 3 Document/Downloader links seen for 09/23/19
<none>
Payloads per Epoch by Document
Epoch 1 Payloads by Document SHA256 - All Times UTC #### (Newest on top)
Creation Time 2019:09:23 14:21:00 (Attachment Only - Doc based - Product Notice)
SHA256
d0d11a0b0761a76c8cce0a3091d53289750086befe749326570b5878b63a7d2e
1e1eedfe3066f398cdc0805ec5338e2028c0fd7085255c741d31ec35eb3bdbda
95792404969e6bb6ccfc378bf664037c898a67aec731f2b39571bdf17ee37cc3
afd442c304ca76ba26e2bdd46460727e05b82ba4c50e0c8ede2274d8c01dc662
https://gcsucai.com/wp-content/h891u8f8/
http://www.offmaxindia.com/wp-includes/b161/
http://www.kutrialiogludernegi.com/cgi-bin/6j1/
http://poshinternationalmedia.com/nqec/zcdvgy178/
http://drfalamaki.com/Mqm24/btxz33664/
Creation Time 2019:09:23 12:53:00 (Attachment Only - Doc based - Product Notice)
SHA256
e552addcb8b7b62728972baa6ee5c882cae8cc36b68e11b361906af1fd3a0274
584caebf26bfb72430b540b764456e3ba3da8ecfdc6ced4b8ee2c0354293512c
1a7e5098e751f4db57e2a2b2527034b952fcc8998d88bfdb8d130c6a28891d58
https://turgutreisboschsiemensservisi.com/wp-content/lhhnt4057/
http://www.angelicaevelyn.com/wp-admin/cbo60/
https://tokosuplemenonline.xyz/wp-admin/cukgoad7/
http://15ih.com/TEST777/rbnm37/
http://apgneedles.com/cxucfgc6c/dmjw587409/
Creation Time 2019:09:23 06:17:00 (Attachment Only - Doc based - Product Notice)
SHA256
2c78b35e9e9c825ed883ee54295db84020c5de3e6c689dfdb41dab265e04620d
e1eba613178eab5529545ca50542c1bed25d0759eb518c53e45eb8c1e09c4e69
a7499a279c247484d434723cafcb15e7cfa65eccff978c5d400f93a98ca2bdff
7443286dc6ded10ab6feffbdbd51377977ae0a58288ed9f4b2d2e628b6a1fb7c
3947badb66d0378e2cfffeb7af033006e5913cf7d352305f731a21041dc398b4
5baee334f0dba732faa40375d3476dc7d791539fb304607b5b454d8c63112954
54f2c1424d97f4992ad27f263ed7e512e423a8fb83ed00b1d17e3ac0797ef189
3e73ecc1c166c78792d37a864cf3d7670cdbb12557da1edae02396bda77d60e3
cb494e584de53f27064a73727fa778bf37ab17a663d6289d7ef8f5fc1dd40045
49b870c2299072e4153d81d689620f15b370f98deba44cc08103279ae0aed40f
4a780fe3c8749bc416742251c7041a042ee9d9679c6fff5899a03a35d07fc613
47e7b1da5ca2e1f811b698fa653e6deaf1a283c3722027adb8a52cef93b92208
https://time-dz.com/wp-admin/tp0225/
https://maddykart.com/wp-content/r3e1dy202939/
http://garantitaksi.com/wp-content/a47/
https://riversidehoanghuy.com/cgi-bin/oodz286/
http://www.vnswebtech.com/wp-content/45dw83/
SHA256s for Epoch 1 Payload EXEs seen on 09/23/19 #### (Newest on top)
139f9955e4a2c78c885194e85c16fa12c1ffcb200dc9a3627a0593b4de2f9813
7b4b269ff7c735e35c6015cec7ca9cfbcb58cf1cd0284bd88488a0f5801a04ec
e714fcef896ce03295ac303d525fe235d0f9a73768ac56d07d2c299b769f1888
5bf4e720d0ad56a8ab4580c7cf9fa6a77b416f8ffae1da7672f32d3c47bab991
Epoch 2 Payloads by Document SHA256 - All Times UTC #### (Newest on top)
Creation Time 2019:09:23 17:52:00 (Attachment Only - Docx based with embedded JSE - Product Notice)
SHA256
83905c8c91221c44237a3e89b15fb906bc90522246a34fd1fe6af59d2c1d45e4
954b10e880f7d68dc29ad29cc622e5a8beeb090155f0a3aa6e60c4f2b7080c98
https://hotel-informations.com/cgi-bin/EnBkrIClw/
http://attpoland.home.pl/pub/nBGIvBmq/
http://gracewellscare.co.uk/wp-content/PyBpOTsGt/
http://www.gokkastennl.com/img/NrZdWqqbrW/
http://www.gigeveryday.com/blogs/tw37xlx2i9_m7v9pa-6/
Creation Time 2019:09:23 14:30:00 (Attachment Only - Doc based - Product Notice)
SHA256
8aa36f00a4959d07f1c55d0b6a85713d83c28ae6f58897c960a8338e428af345
92984b87076096ba0298d8704edb79fa481d25c520a725c50b3096567d6053ca
a574204531d561b95d5113c0403482ff0f0fa56fa247e5ebee952d4552e673e2
9240e736860af245c0e64c7ed9f1b15ed6a169d53484bd5b3ab0c76f5c39dcfa
3297b7c72cde1a591a5b198ba72c2449adf6e061115f6198b80c69a385c0362a
d78ab6d53330979f8229aaad41356271bb672e7c7d3e9c8cf13cc2cbfba21734
4bafedd14bf02bfed9bacc6fb89d1a873e750b526de30306d626a062fccaaf68
f3fa29ed6bdd2835f47103b8a27c489ad2dc1c3197f2e31138e60b37547f74e6
515d1e767aafe7e810293d69da581c6640e1d0c699429fb5f6e61ea354221929
a574204531d561b95d5113c0403482ff0f0fa56fa247e5ebee952d4552e673e2
8f44934889b2dbafc0f2642673b50cbc013fdb669cd0926717e652a8ff6d3cad
http://jecherchedieu.fr/wp-content/HgDvuBDm/
https://yiyangjz.cn/wordpress/ysffVVcH/
http://uspeshnybusiness.ru/wp-content/yir9ufq8_4ldys-0526630200/
http://japan-wifi.com.tw/ntuwchob/1zpdev_k6nlaypev0-29/
https://free-airtime.ga/wp-includes/NmwBpsQDOG/
Creation Time 2019:09:23 12:33:00 (Attachment Only - Doc based - Product Notice)
SHA256
dfd92923546e55745249d9ba028f7375df3d93af96517c1293416a9b3926262f
aaa2c7e788458752e49216c34cca6ab37c7cba9e129a4e1f2eaae4d41414ddbb
77417b7c854aa16f9d01b944dcd0306d2fe72c687866f37639e9756832921547
http://amberandangela.com/wp-includes/Requests/Utility/BUKTLSjxp/
http://halalfoodinjapan.com/wp-content/nYsWtkihe/
https://www.womenzie.com/wp-includes/x55z1ue_8o60gw-0988890/
http://manhattanphonesystem.com/wp-admin/qp813_dj0y8-2/
https://uklik.co.id/iebc/ecjqEsecI/
Creation Time 2019:09:23 06:57:00 (Doc based - Product Notice)
SHA256
d231bfe18119e039979cf624c9b48860478b8d445bfdd798066b3a911dc0fcc9
960592543f51c6c87842dfd2ec6dc42d527afbbe029a50947a294e75eb67488d
7044c628d7a3cff0b2b11579f605b3974168550ab6832f7470f6ddf97d690a93
a33063d4a2aa065c8c671424dd58c701bedded567772c757fd9a7eb3f92ab486
cb6a8eafed1e36cc4e360e441daf1481a6ad037a186e42c5d3035582d3d2b7eb
05103e4e73b155dcbf5832d7b82e6abc1aa19ef42b91cd4944edbad6f1eca3c3
19c2784b669081e9c423336c8575738b596ac81a46c9720599ce384f9e7ba92d
0a1a08f500acf178694a18d93271e9d6ff4f819d3d40fe720f4a6092b94a3a43
a65fbcd2f0ea9b9dbb1d44861eabe4ebbb7da3306975eb2f9f3e0916e7f6934e
da099c922a3c64920e7806dc41932ad88f7234b3e33e63743d6445eddc7ee781
09c1d3dc85c930a20b3057fb907dfd3ae06c8f21d38bdedc5f20ca6be192677d
e1792ad6946d58c1ec154ddb5090e47226222a6c366e4901b7e683ba80a44170
f7d23699916ec9be7f5d5eec78085cc2f31e92a393d216e0ec680dd7fbe6c124
ef795a67a38530d3c7ad4bdbdf0953556b8151f607258e8305155f17655aca2e
http://asianlakeviewbinhphuoc.com/wp-content/prcHocQjkn/
https://vipcanadatours.com/wp-admin/20tikuee4l_88vynz4-856181111/
http://www.viral-gift.com/wp-admin/wuysk6u_k68ce1sdu-101546798/
https://refabit.co.ke/dvog/wiBerHCNFq/
http://www.parantezlojistik.com/wp-admin/RDHaWtuW/
SHA256s for Epoch 2 Payload EXEs seen on 09/23/19 #### (Newest on top)
483e5aa3f188fe6826be04cb4c624eca95bc9d37e1cbada41e037fb035e2ebca
6b90e9741a6cf8e6914390f4c04d136401644b68c881a399032f6d6d770ee33b
a5533c688e1e4f4bd66701cf66a2320b866ff9d4613b5e03e394ffb8549de6c0
385c69a369fca3a682dd577211bada06877dbe2e547011f5fac293ca94465682
Epoch 3 Payloads by Document SHA256 - All Times UTC #### (Newest on top)
Creation Time 2019:09:23 17:53:00 (Attachment Only - Docx based with embedded JSE - Product Notice)
SHA256
612b12e50f873fca40b47598a0fd3a3051df860be234a8704a97ad1c11a6ed06
https://brown-about-town.com/wp-includes/BPwFMMjvr/
https://itleadz.com/wp-includes/ewv4f-a7tvbktj-35/
https://www.samuraibangalore.com/bsnwmap/NLEVjDpi/
http://www.cbdnewsdirect.com/wordpress/qvMSfSt/
http://1negah.net/wp-admin/nv5a5c1c60-88c0x-5737990816/
Creation Time 2019:09:23 14:34:00 (Attachment Only - Doc based - Product Notice)
SHA256
2ea85cd369f6bb71baf92267856889c696162ffe4a71cea1c9ddb761bb37b4d0
http://www.cia.com.py/wp-content/uploads/2019/09/XNFerERN/
http://theindonesia.coffee/wp-content/oRiRyDy/
http://luaviettours.com/wp-content/qyTGBOtb/
http://foful.vn/wp-admin/lmtbu4j2m-945-573/
https://www.kiccamt.com/wp-content/kexu7m3g-o1j1gw-14675124/
Creation Time 2019:09:23 12:47:00 (Attachment Only - Doc based - Product Notice)
SHA256
f53915ca4218fda34366b85fec721493bfc87a82a6d27487f3003f159c9415b6
55ba3c864d894883bff10b8a371ec7f425b4ba311df6307f4ac2a0c0dbfa6710
http://newlifemedia.net/wp-admin/z293x-935b4x0-111255336/
https://itleadz.com/wp-includes/XSEnAp/
https://brown-about-town.com/wp-includes/gphfw72l7a-0airg-6441401138/
https://www.samuraibangalore.com/bsnwmap/HOBNYnevP/
http://streamingvf.cloud/yggstreaming.net/jAXgrw/
Creation Time 2019:09:23 06:52:00 (Attachment Only - Doc based - Product Notice)
SHA256
b7e2b8c12b6db067e7afa1bed3bd00a17cb7f48ff5c290fd750e1eadc23bd754
ebddeaf4a88b33574093e41999a2655f74c40816c51c661f12db05091d352f68
8c46d3517bec35edff7d3ecad5f32b76abec01f478286e73508108ae338f45ad
efeee23ff6074833d0b4ce963ea34425b21c0cd30fa53a002d91d222f804386d
af43b39c571d42cea6efcc176a2a82403e83c3b89431258af71d398d6c8130a3
344c35dde2f94a72b7a6b886ab067deeabfd12e9d09048623d29ce15c78ae582
31ed115abaea28692276b6f847f150696b4c136364588af2c2fd35c35a2d1995
https://www.onpointmotors.com/cache/tbbxrhp-hnd82onael-1262812/
https://www.vrsat.com/auhn/MJUFxwVtO/
https://haberkripto.com/dvfn/YNYrsaS/
http://abctiger.com/setupconfigl/IAAKiij/
http://www.perutravelamazing.com/wp-content/30abzxf50-bzgz9ieq4-86/
SHA256s for Epoch 3 Payload EXEs seen on 09/23/19 #### (Newest on top)
79824568b9544d92683904286a3c9877246d58eed5a5068ec46ce35323f8ac91
757b35d20f05b98f2c51fc7a9b6a57ccbbd428576563d3aff7e0c6b70d544975
821e3f454016615879c524b7b2604c21f783b062f4c9756993a2be75e08d8820
C2’s Per Epoch
Epoch 1 C2s
109.104.79.48:8080
109.169.86.13:8080
114.79.134.129:443
119.59.124.163:8080
119.92.51.40:8080
123.168.4.66:22
138.68.106.4:7080
149.62.173.247:8080
151.80.142.33:80
159.203.204.126:8080
178.249.187.151:8080
178.79.163.131:8080
179.62.18.56:443
181.188.149.134:80
181.36.42.205:443
181.81.143.108:80
183.82.97.25:80
183.87.87.73:80
185.86.148.222:8080
186.83.133.253:8080
187.155.233.46:443
187.188.166.192:80
189.129.4.186:80
189.166.68.89:443
189.187.141.15:50000
190.1.37.125:443
190.104.253.234:990
190.117.206.153:443
190.19.42.131:80
190.200.64.180:7080
190.221.50.210:8080
190.230.60.129:80
190.38.14.52:80
200.21.90.6:8080
200.57.102.71:8443
200.58.171.51:80
201.163.74.202:443
201.184.65.229:80
203.25.159.3:8080
211.229.116.97:80
212.71.237.140:8080
217.113.27.158:443
217.199.160.224:8080
217.199.175.216:8080
23.92.22.225:7080
46.163.144.228:80
46.21.105.59:8080
46.28.111.142:7080
46.29.183.211:8080
46.41.134.46:8080
46.41.151.103:8080
5.196.35.138:7080
5.77.13.70:80
50.28.51.143:8080
51.15.8.192:8080
62.75.143.100:7080
62.75.160.178:8080
71.244.60.230:7080
71.244.60.231:7080
77.245.101.134:8080
77.55.211.77:8080
79.143.182.254:8080
80.85.87.122:8080
81.169.140.14:443
86.42.166.147:80
87.106.77.40:7080
88.250.223.190:8080
89.188.124.145:443
91.205.215.57:7080
91.83.93.124:7080
Epoch 1 - Spam C2s
104.236.185.25:8080
31.31.78.203:8080
45.55.82.2:8080
Epoch 1 - Stealer C2s
66.228.32.31:443
198.50.170.27:8080
216.98.148.157:8080
Current Epoch 1 RSA Public Key
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOzoTryw1r9RxRJPFKalO4+q7JaDZWSB
KZlEc22H6ITuE06tvJspue42TF1yk8xN+1bqW++QeV6Clm1uRswA/qoao/6p4eN0
h4zIO8PEaJ0C/9EO4cx9yfRLlVpjdEkP0QIDAQAB
Epoch 2 C2s
101.187.237.217:20
103.97.95.218:143
104.131.11.150:8080
104.236.246.93:8080
119.15.153.237:80
136.243.177.26:8080
138.201.140.110:8080
142.44.162.209:8080
144.139.247.220:80
149.167.86.174:990
149.202.153.252:8080
159.65.25.128:8080
169.239.182.217:8080
173.212.203.26:8080
175.100.138.82:22
177.246.193.139:20
178.254.6.27:7080
178.79.161.166:443
179.32.19.219:22
180.183.112.185:21
181.143.194.138:443
181.143.53.227:21
181.164.8.25:80
182.176.106.43:995
182.176.132.213:8090
182.76.6.2:8080
185.142.236.163:443
185.94.252.13:443
186.4.172.5:443
186.4.172.5:8080
186.4.194.153:993
186.75.241.230:80
187.144.189.58:50000
188.166.253.46:8080
189.129.231.76:20
189.209.217.49:80
190.106.97.230:443
190.145.67.134:8090
190.18.146.70:80
190.186.203.55:80
190.201.164.223:53
190.226.44.20:21
190.53.135.159:21
201.250.11.236:50000
201.251.43.69:8080
206.189.98.125:8080
211.63.71.72:8080
212.71.234.16:8080
217.160.182.191:8080
222.214.218.192:8080
31.12.67.62:7080
31.172.240.91:8080
37.157.194.134:443
37.208.39.59:7080
41.220.119.246:80
45.123.3.54:443
45.33.49.124:443
46.105.131.87:80
47.41.213.2:22
5.196.74.210:8080
59.152.93.46:443
62.75.187.192:8080
63.142.253.122:8080
77.237.248.136:8080
78.188.105.159:21
78.24.219.147:8080
80.11.163.139:21
80.11.163.139:443
85.104.59.244:20
85.106.1.166:50000
86.98.25.30:53
87.106.136.232:8080
87.106.139.101:8080
87.230.19.21:8080
88.156.97.210:80
88.247.163.44:80
91.205.215.66:8080
91.92.191.134:8080
92.222.125.16:7080
92.222.216.44:8080
94.205.247.10:80
95.128.43.213:8080
Epoch 2 - Spam C2s
69.43.168.232:443
185.187.198.4:8080
46.228.205.245:4143
Epoch 2 - Stealer C2s
46.105.131.69:443
176.31.200.130:8080
104.131.58.132:8080
Current Epoch 2 RSA Public Key
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhALk+KlHgOKXm9eDkWu2yN9lanjwOm6W2
PV0tgr4msNVby2pOJ6S1MZQnQwxl7y6WWzT4kveAQhLmW8JB2M2PDOxZOgVMJH2C
AtkVW1p/P9jNJWVvjK9SmrbLdIeiKNtRfQIDAQAB
Epoch 3 C2s
108.179.216.46:8080
113.52.135.33:7080
133.130.73.156:8080
138.197.140.163:8080
139.59.242.76:8080
143.95.101.72:8080
149.202.153.251:8080
152.168.220.188:80
159.69.211.211:7080
176.58.93.123:80
178.249.187.150:7080
181.113.229.139:990
181.230.126.152:8090
189.189.214.1:21
189.245.216.217:143
190.10.194.42:8080
190.13.146.47:443
190.146.81.138:8090
190.171.105.158:7080
190.55.39.215:80
190.55.86.138:8443
190.79.251.99:21
190.92.103.7:80
200.82.147.93:7080
201.113.23.175:443
203.150.19.63:443
216.154.222.52:7080
216.70.88.55:8080
45.33.1.161:8080
46.32.229.152:8080
5.189.148.98:8080
62.75.171.248:7080
70.45.30.28:80
78.109.34.178:443
83.110.75.153:8090
83.169.33.157:8080
93.78.205.196:443
94.177.253.126:80
95.178.241.254:465
Epoch 3 - Spam C2s
41.185.29.128:8080
94.177.253.126:80
Epoch 3 - Stealer C2s
178.32.255.133:443
198.46.150.196:7080
Current Epoch 3 RSA Public Key
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAM426uN11n2LZDk/JiS93WIWG7fGCQmP
4h5yIJUxJwrjwtGVexCelD2WKrDw9sa/xKwmQKk3b2fUhwnHXjoSpR7pLaDo7pEc
iJB5y6hjbPyrSfL3Fxu74M2SAS0Arj3uAQIDAQAB
Credits and Notes Section
WARNING - Some links may have been taken down shortly after I reported them to URLHaus.abuse.ch
because they rock and report everything to ISPs as it is confirmed to be malware. Additionally,
this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
https://pastebin.com/u/jroosen
NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
I am providing them for your benefit in case you want to parse them to be sure.
What is Epoch 1, Epoch 2 and Epoch 3?
(09/17/19)
With the find of Epoch 3 today that split from Epoch 1, this section will be rewritten to reflect these changes in time.
Community Lists
(sorry if we miss anybody, make sure to send it to @cryptolaemus1 in your tweet and we will try to include it!)
Credits
Combination work of the Cryptolaemus Team - https://paste.cryptolaemus.com/about/ and/or specifically the following:
Doc DL URLs - @devnullnoop, @p5yb34m, @malware_traffic, @dms1899, @Paladin3161
C2 info/RSA Keys - @devnullnoop, @MalwareTechBlog, @lazyactivist192, @VK_Intel, @Paladin3161
Payloads - @devnullnoop, @MalwareTechBlog, @lazyactivist192, @p5yb34m, @malware_traffic, @Paladin3161, @ps66uk
Spam Templates - @devnullnoop
Special thanks to @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and
helping out with this!
Very special thanks to @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project https://github.com/decalage2/ViperMonkey ,
@digitalocean, @mploessel, @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch,
@urlscanio, @BlackLotusLabs, @TrendMicro and @Virustotal for providing services/software no charge to this cause!
Daily Log 09/23/19
Early emails were using 'Snowden' as a lure, in Subject and Filename, along with a new template (Product Notice)
First E2 DOC (2019:09:23 06:57) was delivered as both attachment and URL, all subsequent DOC were attachment only.
One of the E3 documents (2019:09:23 12:47) appeared to have malfunctioning macros -
most of the EXE URL were reused in a later DOC (2019:09:23 17:53) which is unusual
General News
new template - 'Product Notice'
https://twitter.com/anyrun_app/status/1176105652718059522?s=20
subjects - 'Snowden'
https://twitter.com/Racco42/status/1176070011993108480?s=20
https://twitter.com/MBThreatIntel/status/1176205270898229248?s=20
Drops Report
<>
Email Template Report
All templates today were 'Product Notice' type.
Early files featured DOC/PS, later files were DOCX/JSE
Link Regex Report
Waiting for more the next few days IF they come back.
Payloads Report
Very few EXE updates on each epoch today, only 4 on each
C2 Report
70 combos on E1
82 combos on E2
39 combos on E3
Closing
TT
Sandbox 09/23/19
E1
https://capesandbox.com/submit/status/215/
E2
https://capesandbox.com/submit/status/216/
E3
https://capesandbox.com/submit/status/214/