Emotet Malware Document links/IOCs for 09/24/19 - 09/25/19 as of 09/26/19 00:00 BST
Notes and Credits at the bottom. Follow us on Twitter @cryptolaemus1 for more updates.
Document Downloader Links
Epoch 1 Document/Downloader links
<none>
Epoch 2 Document/Downloader links seen for 09/24/19
http://2lo.5v.pl/wp-includes/Scan/PAOUgoQlRKlFSF/
http://afghanbazarrugs.com/AfghanCarpetRugs/Pages/OrtfpHxf/
http://ahenkhaircenter.com/blogs/lm/bzad0ivyazuv7sl3l9ewek4m2_rnmeias9fn-97136005382469/
http://aleksandarnikov.com/blogs/lm/q9e0sxelwpmpmi_8zz6ndkry-860510954408/
http://alikhbariaattounsia.com/test/Pages/vi1alsahsrv5s614jgfl8ewjy_iytyloj-5859557314/
http://cartawesome.com/385ih/74oz712rtsl6p5t4ttqnedn7jz0x_gef5dc-599133617567342/
http://casadealdeaaraceli.com/test/Scan/xoPkQSPbGFPJaXweelhBRxbPG/
http://chungcuroman-plaza.com/wp-includes/Pages/yjpIdrLWVRQRwokObjGQEePCdhk/
http://consultrust.in/wp-content/parts_service/6oqa28jeqdabtzznji4i8k_50sduf-72515726/
http://cryptocustomerhelp.com/wp-content/parts_service/j1nfhdb7pm195me1ng4t7ry8e_8srx6ktb7-2637448726/
http://cstsportsraj.com/jaoe9fom3/hlOZpxgnROz/
http://cthomebuysolutions.com/cthomebuysolutions.com/LLC/36pw1jjuh0uzvadaqradfarg_urtrjhh-655470937455/
http://discovermagazines.ca/img/parts_service/KcLjmswUOPFeKELkhvAU/
http://dwaynejohnson.co.in/rrnc/paclm/teo9z4gck0a9j69ffgubjgq4_kuh9f7-00198048/
http://green.ctfc.cat/3pv/x7eqa5j0jo1a0m4_5v5hais-39788094311017/
http://institut.deep-webb.ru/spnf/zx75c0zk6vo5aympsnihxdgi6iw_hiraaz9-899276794321891/
http://intranet.tag.mx/phppgadm/themes/gotar/THZXJUE7H/dvtEVVHasheCZZxObPUAd/
http://klimat.aperture-dev.com/wp-content/eodwkpdfrszbfcbpnvgdr1_zjrh3gl0lu-761267992/
http://landing.master-pos.com/wp-includes/Text/sites/vdedPGGNzLSTAUPNZKAddjblISf/
http://laneezericeira.com/fvweifb2/0kulrptr6rln_eulp4-62014967452890/
http://livedownload.in/wp-includes/hnHyTbStRPTvohsIIkRAm/
http://lucioflaubert.com.br/admin_site/xa2w6dyrjqj2j976wcx_sndx1xvpi-99480801402/
http://maisquelleidee.fr/wp-content/uploads/paclm/imin91k0jco_wnalijek-999823243/
http://mal.ba/css/3q5nioxuhzsp2x82uctrg7o_wanyrh8e-69431681/
http://manipulator-lobnya.ru/wp-admin/19bdnzqqfgi3y2ur7sub_z3ct3-4563779497927/
http://mcveybros.com/Riad/parts_service/mwog223xrncjoymd9s61iahrbbime_a3g5g-52870726553130/
http://meidiaz.com/wp-admin/BDPYRRhgvVlfutw/
http://mexiprog.com/musart/lm/nmpnCruGgCBXV/
http://minimidt.cm/wp-admin/3530205148/nk9et6ehzi5x1vy6jmkjsabl0t_43mgcy1-8257917054260/
http://mrgeeker.com/mjj7im/parts_service/c5iwt4awbultfhoojvg_74c3x-28700802450458/
http://navbhaskar.in/wp-content/44071603363/b3zaskvdepa1cb6yz4ur5o4vd22v1_2kyxk-132805983442/
http://nhahangsangmeosapa.com/wp-content/FILE/4eh7mqjg06s8rj7ktqblq4k_8eczj5-262662890501277/
http://nissanlevanluong.com.vn/wp-content/lm/PSXmNSQcMuPeungFoAzplRHsGu/
http://okdpreview.com/dev/csn_1/wp-content/uploads/Scan/i4220xf03fy63y0hy5xhgtp6t8r8_s8njxky-53145233940116/
http://oneilgordonhospitalityconsultant.com/wp-admin/YDuRaXEwzDwiplv/
http://pdtoman.com/nofij3ksa/esp/EuqcpqKwgDGkLoilQAfA/
http://pen.kestrelddm.com/wp-content/lm/mAvvqdjGxlxtrhnDxJggzjiH/
http://perevozchik.net/wp-admin/DOC/hoBShyveqHwFHgXnfrizaKRZPhGxGb/
http://pollux.botfactory.pro/wp-content/7lu0ohy88ur9a_imqz1q9k-079240415165/
http://portkotor.local.bildhosting.me/tmcd/lm/0co2868l9nmsuixgwq_k0r5uw40-732484121735695/
http://pranavadvisoryservices.com/wp-admin/LLC/WvhwwLzuVdhevpsIjiSOtQiyIQoEY/
http://pro-cyber.fr/layouts/Scan/ACAjeqGxQhLY/
http://profitsolutionadvisors.com/wp-content/LLC/GqvEqWnBmRRJro/
http://qurilish.webforte.uz/wp-includes/DOC/j1uqje37z_0zb6o-52736522056/
http://reha-active.pl/wp-admin/Scan/LUUUiRTcQkumgefqXXqasngth/
http://roughcastcleaning.co.uk/wp-includes/parts_service/LaiskshcRVCnuypYjdWjGLovEP/
http://saielectronicsservices.com/en/LLC/WoDPpeGxXxUHbZoEjDWrdXEpPgmHPu/
http://shuimulinsen.vip/62gng/sites/xkqclmqutuyhcsetzee/
http://spdfreights.in/wp-content/Pages/GkgpQjXBBhFLw/
http://strategicsocialpartners.com/wp-content/parts_service/lLbwCpWyhInZOVukBfTYmLyHUxG/
http://structuralworkshop.com/wp-content/9397210738/jmCLqdiQCuFulDISJy/
http://thepretshop.com/rbjsd/sites/gYbuKhiuVNtmzSOpgNRkj/
http://tuttotenda.it/wp-content/Pages/HjOmRWVwVBbCuUEzXgo/
http://wapvideos.me/cgi-bin/P69CHM9E0ZC/tEOmjsHUorPFXUTtrWWkaVoTbBe/
http://www.pro-cyber.fr/layouts/Scan/ACAjeqGxQhLY/
http://www.sdi-diagnostic.fr/wp-includes/FILE/SoQSDwXZU/
http://www.shuimulinsen.vip/62gng/sites/xkqclmqutuyhcsetzee/
http://xclassicpictures.com/wp-includes/51112424726944561/txrfhwrxmvb_f7kl6tp-140772247094287/
https://afghanbazarrugs.com/AfghanCarpetRugs/Pages/OrtfpHxf/
https://allmark.app/wp-admin/esp/5ly9q5h5_deco79ai-01600724/
https://cartawesome.com/385ih/74oz712rtsl6p5t4ttqnedn7jz0x_gef5dc-599133617567342/
https://casadealdeaaraceli.com/test/Scan/xoPkQSPbGFPJaXweelhBRxbPG/
https://cerahalam.net/wp-admin/INC/pkc2meoq2ay5ek_bi0o9t7v7-544679383/
https://chungcuroman-plaza.com/wp-includes/Pages/yjpIdrLWVRQRwokObjGQEePCdhk/
https://collectables.nojosh.com.au/1u8b/sites/84vrtfmcbr0wtpmyadcf04u1_3o6rypo-32807678062/
https://laneezericeira.com/fvweifb2/0kulrptr6rln_eulp4-62014967452890/
https://minimidt.cm/wp-admin/3530205148/nk9et6ehzi5x1vy6jmkjsabl0t_43mgcy1-8257917054260/
https://miraigroupsumatera.com/wp-includes/Pages/24xayoiirefyepjjbjdp5c_nmxtj1w-99376527660/
https://sahajanandmart.com/demos/parts_service/b56u9ovtsixn0xw4jg7id2nb4gygra_p7zs8cni4-80583171910098/
https://seasidetales.com/wp-includes/DOC/YIgAkwoUfJvHdT/
https://spiraldigitalinc.com/wp-content/OQ3DU7GM4/ek1c4sqnqa3o3_w5bu9a-4776116834347/
https://strategicsocialpartners.com/wp-content/parts_service/lLbwCpWyhInZOVukBfTYmLyHUxG/
https://structuralworkshop.com/wp-content/9397210738/jmCLqdiQCuFulDISJy/
https://synchdigital.com/d1uvbuojhx/INC/u0n1el221qur8hskp7y3rk_a8d0a67-030938028390880/
https://tuttotenda.it/wp-content/Pages/HjOmRWVwVBbCuUEzXgo/
https://unitedformats.nl/wp-admin/DOC/tfxg5yemtt_4sry6s02s-512125025508/
https://vmindpower.com/qzZo6W/DOC/liNwTxvOYQMWd/
https://wapvideos.me/cgi-bin/P69CHM9E0ZC/tEOmjsHUorPFXUTtrWWkaVoTbBe/
Epoch 3 Document/Downloader links
<none>
Payloads per Epoch by Document
Epoch 1 Payloads by Document SHA256 - All Times UTC #### (Newest on top)
Creation Time 2019:09:25 21:00 (Attachment Only - Docx based with embedded JSE - Product Notice)
SHA256
8199f5dcfc14173e7a348d2c349905725bf03b5293c7723bf2f1eb2b7322d398
be26d7f85dd93c0838e88a91baa76036f488f82d7338fc12f7838e5eff4ef24c
832c0541154a0f631ce5788a4b6423a2d613b9ae9e05dacec3704b6e15b1df74
aaf4b3f5f526221e16befb6f5ce2ec111b16c7899ac67eaa2592073248ec9525
http://qalamelarab.com/wp-content/dsd5ue9269/
https://leixiayiran.com/wp-includes/4li22/
http://www.sgiff.com/css/xrn487/
http://www.suse-tietjen.com/wp-admin/bg7s583/
http://vaketravel.com/wp-admin/m79503/
Creation Time 2019:09:25 17:05 (Attachment Only - Docx based with embedded JSE - Product Notice)
SHA256
f7d739d847eb2a64f2185cc1f7e7520e6301267bd195d7804366f0dad04b76f6
86133ac4c4598356a972f1424ef4351b35cf6595e2b4d5f6f4ee9f37638d69eb
41aa138f93f0f2e6800621287c6dcb1df87ac518d7a8e8ba130aacda409fce6d
aa361ff8ab05a4fb5056505b563ef78b4ede77ce1218e14cd88b95ff2fe11798
503d61ba5c15efc736fb371371787a584b6c63ffb9eedce796b2a615b5ff90d8
http://fromdax.com/wp-content/m5y728766/
http://dfc33.xyz/wp-includes/y4r001/
http://demo.naasdigital.com/magazine/zwca5/
http://www.arvindtronik.iniserverku.com/wp-admin/sc1ds9447/
http://amb-techinstitute.com/wp-includes/51/
Creation Time 2019:09:25 16:45 (Attachment Only - Doc based - Product Notice)
SHA256
acd2ed2502c7475f50f0b930795b7e1ddf80a381413ee93fd17f7c22add4e7f7
http://zimahenergy.com/wp-content/azwk6/
http://www.vivekanandadegreecollege.com/wp-includes/j63213/
https://divakurutemizleme.com/wp-content/p4481/
http://hepsihediyelik.net/wp-admin/7l8ob60/
http://www.averybit.com/wp-content/uploads/d4/
Creation Time 2019:09:25 12:16 (Attachment Only - Doc based - Protected View)
SHA256
630c2f9b622b68e7b7700884d04a3a229f61bb9e4689c9877f0a4e9af66f3f8c
75e382189dc3ff8a317c1da1e3557a246e1c4783dac7d9eb74e7d720d8d03211
9e97e0f07195414d5d1fe57fc6ff5fe186e4d9bffdb9d89f99cc04b813630fef
7372ed04dec9612c51f257b71cd2668d1e8b9832ed3fda8b0b33e7da749b5a1d
ff78008b5aaf3a6e1a82390f86b44be59c42db525e1326bf231407a60e72b09b
71b9e8b6d01e7cece926ee9cd0d9d037c58d73990fa1f2e70456db8702bb4a09
2859477ce1daae4d1aaa4217c68f369a5d751d6a4d3903c492fc237161931e35
http://elisabietta.com/wp-content/44bj2z00/
http://costaging.com/staffheroes/ak9qqa045/
http://dimsum.xp-gamer.com/cgi-bin/nl72965/
http://demo.econzserver.com/blackhood/gkxo2/
http://eastwoodoutdoor.com/cgi-bin/t3186/
Creation Time 2019:09:25 06:17 (Attachment Only - Doc based - Product Notice)
SHA256
11201fab620091a9bafa4bb76761af340d42a719c2cecd126d42547964c0db74
8b1841890bec99d244fbadf73a921172c2f33f4f3f58ac8c81fe7b2e630e6aa7
d0542d6a64c41587ecd2184c5b41b12abe0089d074d4f423eea4603005f5d86b
978697415e92dbbafb7a8d8f132d350c93a33da57482f34563c257e73a92f963
6455f5680ed62c6312a4bb7736b7587405d109f373b61b9d11d01fc2dccc7ed7
addf59e6a6a9e495e35bac3d14fef7a2e47d985912e7f696f3421e5e999296f4
fa56fba6c213c5d2678778c3f419f30ee5417590f693dfb21b75097045bbddd9
c412dc76c76fad343c53d60e71b5cce391ab2704c03df9c077e4300245141fb6
7beda27741db774a97910d9878848609a72dcd844385c7c8b2fda64642c93ebd
c14c7482d33fff0998cf9c5282270f18d686f613bed870e781dad32b719dbf21
ce6320620c5ac05c0d8f6a900bdc2927cb55eb31e0911b7db4e3e779f4d32182
http://esoftlensmurah.com/wp-admin/x0300/
http://dtupl.com/wp-admin/g3ei2390/
http://every-day-sale.com/ab/1kxf6j325978/
http://examples.xhtmlchop.com/psd_to_wordpress/qi01645/
http://fashionupnext.com/wp-content/0j6w3at1/
Creation Time 2019:09:24 21:54 (Attachment Only - Doc based - Protected View)
SHA256
43b7900e9080e417e0fbe44ecf1056a372beae1e8b56eebcd4c48167003e292b
d53a0c38ba77e33e84006723988585b812eca984f125d9ab9bd77d8310c831de
96d972c5e8639c841c82a9d97eb351bca488df0033bf215b37cbf533171a1ced
http://finalchace.com/wp-includes/nm86909/
http://erfolg-kyoto.com/cgi/wp-content/uploads/h5293/
http://gnyfst.com/configweb/f332/
http://dev.yashcodigital.com/cgi-bin/h11/
http://greenbeanph.com/cgi-bin/10zho5/
Creation Time 2019:09:24 19:11 (Attachment Only - Doc based - Protected View)
SHA256
0ddb457831d2dadad5d06fe9dfc091e011189d60e744606b6ef957727e3906d2
a4b546b36aa10b26302792afda968361e3ddd150f1c796cd9d7cbace40fd2475
438046966e56ff51487c7dc6ab9282081bd16b5d3c977cae3107528d2c21426f
316ae264ae29dce2a569a054e6efdda7f686d9e85f6d0a9f8b8f82bc4c375faa
3886041d75e01071471d6ca91b1f235d728adda10906dc7b998e53e10a327129
c3cb5920121db087041519b04aedb2a8cebcfe19e3b1f58dbddec06d8fef8f9b
be5d6ac8499fc2fe621440abc23ee07acdc424e1aeccf1c140e9804508c9e0fd
http://gzbfashion.com/wp-content/259/
http://devcorder.com/yberdigital-info/vs8yoml510/
http://guanchangwen.com/nofij3ksa/t6524/
http://martx.com/hotel-telephones/3juc78242/
http://mosheperes.xyz/images/rbx31fh71/
Creation Time 2019:09:24 12:43 (Attachment Only - Doc based - Protected View)
SHA256
86a2ce14a390ad18fccf8cdee38afbd2d638137337c56e9e15a6e26dd1ee2200
dda9cbd8ba41c2dc255aae0aa6e96e5f4bddc6618254c170277ce5de5518d02a
e9b5162c7dd5b91edd676ad65840bec42e1a2b997e89670c9fbd22bedbed7131
3d300926715b5e92b067e38f038edf647a313662e01af889bc663df084aea6d0
8299142943a1c2ffd650917bfedf06e1f55fe16d83d8a0ba6f3f278b8315e2e9
599254a9990375ab983bc08caa1b726d02d199a43ae6e6aad68f49686eca43f4
724592518872b9f5410aa307fd12c7fc984c62dcbe9fa6bd1b61f067706580c1
http://skrperspective.com/wp-includes/1j5q7gqgc7-rrscxt-51/
http://smallbusinessmavericks.net/nexstarcrm/kcDqxeAmH/
http://securityvisionindia.com/wp-admin/ALJjzSFwG/
http://smart-solution.tokodeni.com/wp-admin/MwKFidxN/
https://www.8hu.me/wp-includes/hQAililY/
Creation Time 2019:09:24 06:15 (Attachment Only - Doc based - Product Notice)
SHA256
821d138f7e5dd4d5bdd4b0ba947beb69e58e7892986b9cf3cc81fc320947539f
15f2e31392e42bdd3c29d187edf9e4211bc36d856514439014b3b4ae13b81f30
fef7cb962db325b065c7161c34150af74eeb858b17f8ad1f5a473abbfc5b1dcc
cd93018914308d702abfb778c1d775af10799b933d2fb00720c11437cb8010ac
b757710fb19a487125d66369f09aa034466ace522d5c415875435d63d63efac0
57298cb36dc4daf9ceacd3097281cb686f1fedc98bd0c506b78eff7fc6cb7848
6c12a45dfb1c4643e89d214888cd7561534d1e69fb941314ab6a40f12d8b65ec
2f3061a59cb2d8268dc4e058bda57bd1c34e5ac0bd8a94e04d2cc44411b7660f
38fcabe55c4f929103244191d0185295904fa805cff0f6b0ffcaa4d99ae36330
1da5734277160a96810320a8abcf58a038dad57e75c43256686692ca91c2d9a5
28546c1f49513142d43966d75eeb7c75a6cdb8446776ca73037643cc78d8be0d
651bfd311a3cf9d49e3593bb6397b739c8fe34301167e74ddbd45883e1f7887f
cc8dd4f2c313d47ab32bbcb3d6a8daeeb70344f4c5b0c691218b71a9cb6f5e3c
0d3cc36561abe65205b031e01d8dde731a15218115ce52922a289a50cb29b753
https://bhubaneswarambulance.com/wp-content/tg3p20/
https://indonesiaexp.com/wp-admin/ar3468/
http://purepropertiesobx.com/menusa/edt222/
http://sidanah.com/wp-admin/6dtjzp2161/
https://potoretocreative.com/wp-admin/n7/
Creation Time 2019:09:23 19:45 (Attachment Only - Doc based - Product Notice)
SHA256
207822172fa8f7fff5e35a3b0a68f6ced284f392cdb977380b7496382c555f5e
https://thecrystaltrees.com/nofij3ksa/o5523/
https://www.marquedafrique.com/k9c5qh/eb1wiw8192/
http://4excellent.com/wp-includes/ii950106/
http://www.davidleighlaw.com/wp-content/wlfsj15707/
http://thewomentour.com/wp-includes/f8yezb9/
SHA256s for Epoch 1 Payload EXEs seen on 09/25/19 #### (Newest on top)
6cb7fe3e990cf66426a509c156629d9ae887b2af4cc843dc1c920f84fb5be001
9c8ed4959181511d31b064b4c2db7508126bac27934d9c155e6ecb5665e3ea5d
d06d3ae09eee4dabbc869e05beb042a717dbad72761ab5278dd2547a82269de6
a3ddd4b68151f13a5badd987e53bb4520f8fcab1bab46b88efdcb475b5acf3e5
7b19d210d01ac6cccebd6e472f71f775c8f2daf2418017d4cbe96fc70529c0be
3e269b0ba5c550cd0636355f2b8da977dac2dc4ad42bcf8b917322006ccf4745
10e0034ee35b6a21baeb46ae2d54422dbb2d6a11556fe43f405303463dc7548d
a22732be1da7ae878bdc01f7e2431030c616a071a56d5324f1771ef942a57e82
0577bbd2dc8ac482ab9d2d0b93ffaa319d9cf8d45349aa4400cea1ddd07344b7
39662b355dfc2952a149eefd54d966afcd4527134a639d0bac8c748571e990b9
Epoch 2 Payloads by Document SHA256 - All Times UTC #### (Newest on top)
Creation Time 2019:09:25 20:59 (Attachment Only - Docx based with embedded JSE - Product Notice)
SHA256
3155718b45368db53e3346b15f5606c69193d205e2d0aa50429b927040ba099a
3c7577c09cdd5d0f08d654768545f64f0fbfea1fc7faf434d6719ba73f1a9884
7104f8c8b78a45ad4dbfa45515ec8e0554c317dd727f3512283636a8702942a4
a2b423cf75a5241265e7d0775ac4fd4290f46f53ad3b8db31c4ca55fd2d4a32d
http://www.belovedstreetsofamerica.org/wp-admin/zAQEgXhEeQ/
http://scvarosario.com/wp-admin/3zen280_46kyql57tk-3/
http://stile-strano.com/sitefiles/0n5kvap_e48g90q-509510224/
http://suse-tietjen.com/wp-admin/RQDvGmOhN/
http://salespikes.com/4bicy/zpkib8hzk_xklztf-0587300276/
Creation Time 2019:09:25 17:04 (Attachment Only - Docx based with embedded JSE - Product Notice)
SHA256
7a00a2a1aaafadd1c6c3aa388ea3cd88a070bd9112c76c63f172bfa3c0781aa5
https://m3dscbd.com/wp-includes/r44x99_h9jn8-7782/
http://www.akdkart.com/k4ccjlz/96ds1ppkdm_v7yzwin-8/
https://shop.theglobalbeautygroup.com.au/wp-content/lRQxTIzoSt/
http://brijeshrana.com/wp-admin/sCahMihTVN/
http://azdhj.com/omoj7unine/XrSkVjsrgD/
Creation Time 2019:09:25 16:30 (Attachment Only - Doc based - Product Notice)
SHA256
39601e51ad2da167b0255ebfaa8ed92db3a079cefbb41370b37f0e14f3b99b23
531407af1b7d2881d09d341cb92421bfdb19d8b09a6604d75f5a78f3fc45d37f
http://mti.shipindia.com/wp-admin/css/me1ml_2b9tq9zvd-95185817/
http://nissandongha.com/wp-content/KNzBUjpb/
http://beaueffects.com/wp-content/k12yqks_dmed0mt29g-7268777/
https://rubycuve.com/uqsf/qsKVkhUlri/
https://www.projetorotamusical.com.br/wp-content/oog71_cwzb6zsnn-20060/
Creation Time 2019:09:25 12:40 (Attachment Only - Doc based - Product Notice)
SHA256
82aa2abb375a44f13db76288638ad726adac3adfee7d011357ad4ea2eec62cce
21ac0c8817ab78b2353bbd16e942d56a68d1495fd956bd432ec1963934ff586c
afcc033e1b97373fb301e2d3d791515486fdbee79ac44cd491e394caf5049f79
f17913b032f276456555a8eb786ad8decb177e0e76b6e89a7ed70710d9087591
fc8fe5a97cdb1b71cdf7b8bc486bcc0168bbbf277666e822543c66a1e7761e07
b839c646618b62961fa41f3dcb8ae0dcab594c8e70db0fde7d8202a7b5ed2897
f2e37bda05e01c965365046cd8e463dfd02e5caea3b98599f5b7cce5aafce644
http://dospk.com/sites/TpsMVEnGJN/
http://ngoinhadaquy.com/wp-admin/20s8zvjwxw_bowi8z96-87/
http://arbuzios-com-br.umbler.net/wp-admin/zZPfqaDo/
https://iantronik.com/wp-content/NadMOUjUx/
https://xuongren.com/wp-content/j2ls7i8sd_bu2xvbns-01849/
Creation Time 2019:09:25 06:59 (Attachment Only - Doc based - Product Notice)
SHA256
2fb36fd2ee54ab8d2a2703415c612658d9b15f6b12eac486a147929411acb4f5
7bd10cb53c45ec4dd0ed8e9ca21dbbdc685ac9c77ad91bc192f8ebfae6c3c470
dcb386a695b5320edda19b76739ccf0b267c887bb21b6c603c8a9a8134108682
6bfd02d5840f36f812d84a44075f519a20e6b83440ab9d51c93104602fe09972
2067713a5378d4539ad92d16474b489345819640332234cd5c9f73b4382234f6
447dc439c9e0db72959ac2aeec2c70848162eb46336310de8b2520ca48839c9e
f961bec890be00c74a8bb037c19746cb96457b6fc80f1a20c634afa9d409d6b8
b6d61b80d19c8073ed095fc9ec43450081706e1cea5dd30ac13d2374c5fd22ec
10bc919a9dae13777dcc6350334f1475d730839905d16e8c2a49b221a10b5147
a0bf63285a1661f3e8d7e7bfa30282baedae9bbf6903d82998f00cd2ba2835ad
d0d05ce185ccecb88496d93f23328eee5e72bd94b4eed330d1e37bab90dc534c
http://demo.kzonetechnologies.com/wp-content/uploads/zaiss_vnvuq-5/
http://cbportal.org/3dsnp/documentation/wp-content/languages/hmqd4_l3oee-031952353/
http://cavefashion.com/wp-content/cn35_q8xbu3tdk-860363/
http://cheshman.com/wp-admin/oyhauxdpi_9udg55pl-7726/
http://demo.nhattkw.com/diaocdainam/xbGsLWaI/
Creation Time 2019:09:24 21:24 (Attachment Only - Doc based - Product Notice)
SHA256
9b733988d7cec8f00d6ea14e19e3afb6e606b10959db1da58d9d49499179a5a4
1bdeff01db46a5816b2a25d3556a110ea62e652858c278fc2cf9cfc07117e523
3cc093b41b6433f88c5bda3065a02dfc9094a20af741f68186c5d3abf67d0532
f23e00afb52009919c1145ba85ae6c4bba3df66392b5c948f54e85fdcb8036f7
bdcb934de06faec5a2cdd9eb1d87aebf2b4e1b6f291a80023e8977fa21dae80c
http://jacobsondevelopers.com/wp-content/o2umig8jw_2zv8sv3d-640031030/
http://jiye.cn/wp-admin/nfMfdTfhp/
http://justforhalloween.com/calendar/pxzHArxKz/
http://jntytech.com/wp-includes/xobbi_re2u3rtp-349657/
http://jslogo.cn/rlj7xe/wgyuo0_lkmp8b3k0-42/
Creation Time 2019:09:24 11:36 (Attachment Only - Doc based - Product Notice)
SHA256
07d6384bc6435bb8d67f55ac18102460a74fbf81aaa9580f53f1c9aa02c74f43
2ca69aae4e35e3ac50f59d969091f32e01bac913e8f092408c89bb7d4bebc620
1f3b4f317991d66e8f229f583dd64939a2ccd460405549d8d790dbdc2ddf214a
f38ec51b2c5faefd409e87797db1132660febf0e408efedcaef115483c348234
a44d64464e570ec5d4e52138dcd808684b6ada7b7ca34ff67edf41f84964276d
51638185914ce54abf7c0c31b8a83d751d6ff138aa97cf7e47289ee4e7b91a2e
070176aa2eb4f01297fb8fc99b82bf69370ec79f569cbd1400ac0aa3ee4f584b
f02099a75522a20734a3b76f1a556b31b5a45b292eef6aeb20e0b37be0c6f840
e385b894a1a8eda8778b5912431fa3d550dccb0b5c46c62b9c52f7bb537f4c02
fe01d8c48acf110c9a05f1e2d3434b5496583656a6bd150eca6554e998faafc6
eec1f4577c22a8fddcf2bf2f7469a475dac7096ebbefff7aafefe85815b6b10c
df5644801919f2aa8907a55c06feecfec8d5d9464a94bd3bcbdca7aa1b4f2373
82fe45651296893a80b95440953e21a653279d683e0fe7bc83a3a9c1fe4db0ea
db1bab3ad2d1b1723973fbca9157b89293f8517badbd91e18b98b4f9bffb0ea2
05d89ee6f0a85a27615a2568c66f172d41d0497742647765af1fddd63a840dc8
5e196fdfcd9e95e01c7d089e89dd023c83ab79012b944a23d789d29529eda6c4
ae44abcdc6ff7f7a20f9aae31674a1b767dc5db60a7cc6417e3e047801fed80a
5f1239d7d1be88a52c8eb0ea2507c6db3f87684a814cd04aeafcf9e3b44509cf
9eee99a49effd0d8f84abdb47f6ae7d3e0fbd683caab1fa12103aa504c45b959
https://lignar.com/wp-admin/nmzwqzx_3oszpk-84359/
http://litpam.org/wp-includes/szXSrsHRc/
https://www.esrahanum.com/wp-admin/ZyiIdEPz/
http://black-ether.com/wp-content/pvc04cc_4wd29hsk5-3/
http://millenium.hotelit.com.pk/wp-content/zv2hzmn_9b0txr0f-901321/
Creation Time 2019:09:24 06:41 (Attachment Only - Doc based - Product Notice)
SHA256
d07bbf9636c223b83dfe333c0428b41b909c19321e5f208bb805a2869cb358d5
c7f887a432b1b3cb3062f376320e77918d731b6d2f6fe8dae6add8da50339167
3abfd97dacb0340d970472866b6ebb0d7c3faaf4a0ca8e5fd28ffe88e9cb6055
26559bbc3cf0fad2d11869f85f5fa2eb8b0cd496b05f68b25d14040b5ea7734e
278608ef5fceeb4f19b630a4ca238f10f7fc9d92685ff66dcabfb562a8c7c695
052b34d4c04196e12a2bba97f86de09903a571b5d945df24157cd6abe2180ae9
3922eb7bc34e5367a64b00abdcd7c0cdae4eb14bb0c04557df734c7d555b7de9
8cc54635f86099231865a6b2f75dab0d59000d08d19ef53dce6d8b28ba138e90
dc0d08b5393f0c745bafd2f54bcc101fdd6117b93ba24e85d44aa0f39d4b9955
9f02acd5d9a046b51786158f78fb9aa392390591fb110ebed393427607f2e0e1
872ceb232f11df58129ac5f87e8b405b70552431e39e37436e0f1d2f23bd0926
4e0cb66e8f245a708a6525585be4be5c14c83da0f1cd0ff247b2ca0616d02051
699c6142400e94008029f2aa6b0a4ac1f1ce6650e201dd2b57923e04fc3cb922
a5f224c76ff76dd494b581075162a182a824c8b15358fd6e0dd6eac60c48fd61
b5c62fdda24ba89776d140fc225cc6c29aad51d00c6976c25cd4bd32c5d35e39
d04c549f40aeef6ca41166b09eb970a76d17e690b1e9307e208578b9c24f5f78
fb127112ac0ab6310874357a671091a57d5b47bc173506475390de22add29a24
b60ba70aa7fd899677ef9baef06bf0c2098ad3e98233da8b2fd5146830783f36
e9a9ffccf652fe8597fb9bcfae22c384112414d6491c1d09de967c784dd07a11
78ccbb54d3dab7d0568b76caa8d3a94b26d4c159c36e93061585b2d43a7196c9
7d823786b132d9ffc1b9d0948fe1112ebfc465e2bdaa755dbf133cea44b8cee3
4fe3eb5118b8c87025fc4438f7f056e8619d8981d63ef4d7308eb6b971c421d7
3a2350196e4062a390d8d09649ca698ee2354c668d21677f261b361e45e88c46
1fa66d8c63946a88fa6b968e12cd47d1da5badb99bdb54068f3d9a4befabc34a
61377cb0806965952ed2d7317656e2f91de1de602dfa3871e06d9d9039a30f91
8b68a456ade8b84daf499952b6affcbb2a9590e4a32733763b82ab4970875522
c93b0fe3562c7c7c6e93545078c717e8dd5ad790b561d7b44459edd638c68d97
4b24b2186e234121c2ddf68b6ee21c02658ec81f86b4f90d8e3fab1bb3a4e26b
43d04bd05afa73f9aa0705e4e72c69509ce5ec245266dd5602541652612d12d6
c5369636116c9fefec560c2d4e1062eed575cd8ec751d7e232e9c67398e2e093
fd14df32dbc79e7e7acc858d7e70882d56bafd8256fba9ff000560cfdb824e53
9038cde59fd8989a20ac29e83524e58f506816e031e2e6b3e65db07eba3d6ccf
de0fd109a1271d5729970611e4b11ba421adaef30909fabe02e78983f3929453
9ccbd3cfb03d1a5e1ebf04c0a27fba6e0f311b29a04772b8c4b3a0b573c66b2a
bfcf530eae4d7bf9b2fc2954475df148a7325e112125adf8e7d5d5dc392d7ddc
4c117875ebde16e47feb34b9ebe838400635424a3ff20850038d99a5c042e7ae
516a24d418ed9363ee88fc085a90732ba36ac0587881ecf785bf5b5a91777e88
ed743f61bb6dbd9be15b8e7c02491dd1ee1e2158c4ac17f63b8241df977d53d5
441fa3211b5abca9287083adcdb0e948818b42384f619e0649d586142e19b686
35df66460a0373d7dc942cfde1387d23a4f8602a0979fad7f08cf1a8fbbbcc56
ac7c7e1dd8627bef123810746e0dc2507f00dd0d53604f99e70fd7a7b0b2d140
c1368710ae061843e061181962c3ed80f1b136b143f901f0f4c5c17a45149549
4809a00d24953876279dc41f03c042b4bdd6d23931f3aae5d9d5bff398972d83
ad9cbadf913aa2145bacd12de4659f87528650a3c60bac42eacece71c33d2be6
a47a3ff7e06e462679833b4bd7867b0676ee8b86ec3a142b25ff3bf76c1996e2
a0ec8b262f557ba7fc5bef6d60b301da9e1544d004eca3bbdae54bfd52945117
1fbc219f64528a45c7d183084801067e2c18a884f1c1d23d0cddace92abf96fb
55b5713426e3caa40026cb332525aca88813037f8317d5eb1a58771e22e1cd5c
80c7e25cf595e4fcf2c3430160d2dc413615ad5fd28385cde03561eacdc52172
911875aebdab88ba9650a3e0bd51cbc1e91846d09b918e80594aab954f71800d
https://www.studiomovil.com.mx/wp-content/erRpJAmInz/
http://krzewy-przemysl.pl/wp-includes/yf1etsmsp_esqjtujn-589/
http://laalpina.cl/sisi/cncXoJaqj/
http://aysotogaziantep.com/wp-content/DSovUnSbnf/
http://www.noshnow.co.uk/ybzew/wMaxwSMC/
Creation Time 2019:09:23 19:44 (Attachment Only - Docx based with embedded JSE - Product Notice)
SHA256
a6f0f8e4705566fa4a63886ef542c2bf74b32588f200b72834f95e15b639a244
https://codeshare365.com/wp-content/sDtKNAGUm/
https://jiksaw.com/wp-content.orig/hpyltfhQ/
http://muscatroots.com/WPPS-CM17346928/vf2s8td01g_ad8d7vmz-538923840/
https://digitalmarketingpromotion.com/cgi-bin/r8ai276u_dsz2ci224-072/
http://otogiadinh.vn/nofij3ksa/072msjxbo1_9zon66-97932/
SHA256s for Epoch 2 Payload EXEs seen on 09/25/19 #### (Newest on top)
938e7fdb766187ed9d478fe763bd99748a02f73a0773407110308e4996305f65
6a5576a1676ad0bb219b18eafb74e669165ac4f7037525e57c87d8d7ec7452fc
167bca1a060947567b027a98858ca6199a270a74f544d7c620e8abeed20cf842
045801562b974c1b15cdd89060fad194ed7f26e4a39d4765a81e8a44ce06cd58
5af9d7661e940b45723004fe02728605d946bb528c984fd38d3651c17ee717f4
91f29c8521aef0e261ff28bc4824380791d63d28cf6525cdef6858157dcc210a
8c59c5626f21967e5f5675a1582a143b9c56a517d4920d21e7a0400713aa3320
28ef8575f1752b85357a17303893cdfcdfa3556981e2c540b3442903d347e6a9
47159abdd9c8dc0962a3d9173002f47ff5438a27a24c3fcc21ba35550ba5923b
e07de3adac355014ceb502ea969e2dafad41af316e9ef585a401f071ae1cf99c
435b7c3fa98486e9fd2e20a2031e3a35187b11d1fdb90be194c2db30f963d2ad
f4b7e6b558e760fa19bcee7f45835c5757def7588d68620e3f16e83a2c58ad19
a83efee43c3a8f79a7b53c0ff41da058e3445bfbb5cdce7ff050eba0d06400d8
Epoch 3 Payloads by Document SHA256 - All Times UTC #### (Newest on top)
Creation Time 2019:09:23 17:53:00 (Attachment Only - Doc based - Product Notice)
SHA256
6ad167dcd5fd5a1c20c1e40fea6b144847b565186851c171371afe3a855f1a99
https://ennaturismo.info/x4vyhnx/wz4ymnix2e-yz9i8xpum-5241/
https://131275.com/jub/HkpoHqKOt/
http://tvoriteli.co.uk/wp-admin/rexFJKmKs/
http://triadcomunicacao.com.br/cgi-bin/34l-ptp1x-1707129/
http://creativity360studio.com/wp-admin/ygyoKsByB/
Creation Time 2019:09:25 12:07 (Attachment Only - Doc based - Product Notice)
SHA256
dccb68c4d6833fd25bf4f0c472dd49f2fddefd095ed242aacfc8f90049252b47
9ef3e60aa413ad2d418ff82b037b795ad10dcff043d8c9642a35fae1b42e9964
http://beauty24.club/wp-includes/gvju6u-lse19-698411/
http://bre.com.qa/en/8pzumuyj-canza-968/
http://ciao-ciao.dev.cullth.com/wp-content/0cg8fj-hp14ue5io-30779678/
http://csyuan.life/wp-content/ZdIxAF/
http://ceciliatessierirabassi.com/yoqsz/YQnCMb/
Creation Time 2019:09:25 06:28 (Attachment Only - Doc based - Product Notice)
SHA256
da8a8c113d9f545b8dee8bdf020f47f4ae5b4d00e6d295d4024ca27d05619c4a
586f0113f6f3c703cb91eb7f425b31266d1d2fd6f1abff556ec626fca628efd0
291714881f49efee2267afe3ac7264ba30971995de0ba0bba3fcfb02c58185c3
fa06529a0cb9fdc16a27ba64a3316929acf4476ac6184ca938480ac0bbd042a0
98d5d94c2a80b223e0061410870d4545d6c6d49e050947ee0dd084be4fd8c2b9
e7bedc96715cf69065ba5da3ea54e9532dc135faa56ba82f5ebad2b336f9e2f0
c850b4a067a0d2fe15629faa715112970c815dcb5a1826fdb3d0ba9081da771c
52797856e1bce0fc01077d400badb60c33fbd5d459b5272ec176a8cf9cd833c0
http://dev.novembit.com/rattlers-html/pklrbPf/
http://dev5.kenyaweb.com/elite/o4ju8awm-l34z9jn6-7107704/
http://drukkombucha.com/wp-content/5k8-c8yeh6z6x4-577398645/
http://fastestlaundry.com/laundry/QMrYZqfYE/
http://freispieler.org/wp-includes/sfg-auz-74362/
Creation Time 2019:09:24 12:23 (Attachment Only - Doc based - Protected View)
SHA256
a56ad3d0b4f9a5d5c47c502d1db7097dfb325cbb61b9b348631926fb7fcdb450
5588fdad6c472d5d40bf01eb9b35c273a51dc90afd493fdabbaa6829db034bb8
74e47a5a9530c1ebdf7a6b3fde785982b142eb4895fbc0481b18858604c756b3
b3b6deb73b9e68a7913c0f6e5518c937e3815d8d9f568753fd50564c236112c9
f8275915e4db222df4a01242ab10fffe89b3b8d11250d169b2fb5f583b123dd3
eda134d97be6d835ce8059dd9655e50445e6099c74d27028c787c3286339bbda
ebf2c6e620369e92d176817d896ee69f1db802008db10892e2420e50866792c3
189400bae2bc8304d08d3b138ad847a1e80f5599cd65fca3d8e0ec299acde5a3
d1f24a377589bd9a6a70c60871522cf87babc1e2fbe8fce9b67fa0256c360271
bb9e3a5b7537145d12c87c2b893209e18a7fc0898584f2c0c22d3b64242b34de
f562667ec7101a82fffff304c1e2d9ab8fe38850b133d06e34a9b620d2495f42
3c3064e8147dc300b0868acbe23b191caf0f7b07df085961526eea7bfd0ca21a
988de729de90ca4daf8646dafe160d236cc41aa556d0e99623e63eff3b466f43
d787ea239b3fac1202a7286a66b4f527fd13714afdcda3d359d3ab512c1eafc1
http://saeblaser.com/wp-admin/jx7w814/
http://www.westburydentalcare.com/wp-content/tc3q3db789/
http://praguelofts.fantasy-web.net/wp-content/yho3521/
https://stencilbazaar.com/sitenhzy/wpauo191708/
http://globercm.com/wp-content/u43zzh54/
SHA256s for Epoch 3 Payload EXEs seen on 09/25/19 #### (Newest on top)
f9048a361e80d54f65586bab3905427b18cb654542cf1cc90660ea5952b11948
df45596dfdc229a3c5d58442b6611a5bb48fd6d8a77c10e9727826899665b665
c8e8f0046189852ec969626d5226e6c6ee51c4b205da91472d5e649a735dd79c
00dedbf0454633baf9a75ad8cf57ec638371ac094f09e72d3c97f6b3628db258
caec2d266c76f5944a5db613bc386892742ceac09fa458a35e222caed2f906ca
6f915a934e2273be14332cb97437cc96f73ebd29ffa593952c2b45b3cd1473a3
3241dc0ab511ce51306324e0a0810d64685086f787543b07cd64d596836cba45
C2’s Per Epoch
Epoch 1 C2s
109.104.79.48:8080
109.169.86.13:8080
114.79.134.129:443
119.59.124.163:8080
119.92.51.40:8080
123.168.4.66:22
138.68.106.4:7080
139.5.237.27:443
149.62.173.247:8080
151.80.142.33:80
159.203.204.126:8080
170.84.133.72:8443
178.249.187.151:8080
178.79.163.131:8080
179.62.18.56:443
181.167.53.209:80
181.188.149.134:80
181.230.212.74:80
181.36.42.205:443
183.82.97.25:80
185.187.198.10:8080
185.86.148.222:8080
186.0.95.172:80
186.83.133.253:8080
187.155.233.46:443
187.188.166.192:80
187.199.158.226:443
187.235.239.214:8080
189.166.68.89:443
189.187.141.15:50000
190.1.37.125:443
190.104.253.234:990
190.117.206.153:443
190.158.19.141:80
190.19.42.131:80
190.200.64.180:7080
190.221.50.210:8080
190.230.60.129:80
190.230.60.129:8080
190.38.14.52:80
200.21.90.6:8080
200.57.102.71:8443
200.58.171.51:80
201.163.74.202:443
201.184.65.229:80
201.214.74.71:80
203.25.159.3:8080
211.229.116.97:80
212.71.237.140:8080
217.113.27.158:443
217.199.160.224:8080
217.199.175.216:8080
23.92.22.225:7080
46.163.144.228:80
46.21.105.59:8080
46.28.111.142:7080
46.29.183.211:8080
46.41.134.46:8080
46.41.151.103:8080
5.196.35.138:7080
5.77.13.70:80
50.28.51.143:8080
51.15.8.192:8080
62.75.143.100:7080
62.75.160.178:8080
71.244.60.230:7080
71.244.60.231:7080
77.245.101.134:8080
77.55.211.77:8080
79.143.182.254:8080
80.240.141.141:7080
80.85.87.122:8080
81.169.140.14:443
86.42.166.147:80
87.106.77.40:7080
88.250.223.190:8080
89.188.124.145:443
91.205.215.57:7080
91.83.93.124:7080
Epoch 1 - Spam C2s
104.236.185.25:8080
31.31.78.203:8080
45.55.82.2:8080
Epoch 1 - Stealer C2s
66.228.32.31:443
198.50.170.27:8080
216.98.148.157:8080
Current Epoch 1 RSA Public Key
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOzoTryw1r9RxRJPFKalO4+q7JaDZWSB
KZlEc22H6ITuE06tvJspue42TF1yk8xN+1bqW++QeV6Clm1uRswA/qoao/6p4eN0
h4zIO8PEaJ0C/9EO4cx9yfRLlVpjdEkP0QIDAQAB
Epoch 2 C2s
101.187.237.217:20
103.97.95.218:143
104.131.11.150:8080
104.236.246.93:8080
105.186.87.144:80
119.15.153.237:80
136.243.177.26:8080
138.201.140.110:8080
142.44.162.209:8080
144.139.247.220:80
149.167.86.174:990
149.202.153.252:8080
159.65.25.128:8080
162.144.47.94:7080
169.239.182.217:8080
173.212.203.26:8080
177.246.193.139:20
178.254.6.27:7080
178.79.161.166:443
179.32.19.219:22
180.183.112.185:21
181.143.194.138:443
181.143.53.227:21
182.176.106.43:995
182.176.132.213:8090
182.76.6.2:8080
185.142.236.163:443
185.94.252.13:443
186.4.172.5:443
186.4.172.5:8080
186.75.241.230:80
187.144.189.58:50000
188.166.253.46:8080
189.209.217.49:80
190.106.97.230:443
190.145.67.134:8090
190.18.146.70:80
190.186.203.55:80
190.201.164.223:53
190.211.207.11:443
190.226.44.20:21
190.228.72.244:53
190.53.135.159:21
200.21.90.6:80
200.71.148.138:8080
201.251.43.69:8080
206.189.98.125:8080
211.63.71.72:8080
212.129.24.82:8080
212.71.234.16:8080
217.145.83.44:80
217.160.182.191:8080
222.214.218.192:8080
24.51.106.145:21
31.12.67.62:7080
31.172.240.91:8080
37.157.194.134:443
41.220.119.246:80
45.123.3.54:443
45.33.49.124:443
46.105.131.87:80
47.41.213.2:22
5.196.74.210:8080
62.75.187.192:8080
63.142.253.122:8080
77.237.248.136:8080
78.188.105.159:21
78.24.219.147:8080
80.11.163.139:21
80.11.163.139:443
83.136.245.190:8080
85.104.59.244:20
85.106.1.166:50000
86.98.25.30:53
87.106.136.232:8080
87.106.139.101:8080
87.230.19.21:8080
88.247.163.44:80
91.205.215.66:8080
91.92.191.134:8080
92.222.125.16:7080
92.222.216.44:8080
94.205.247.10:80
95.128.43.213:8080
Epoch 2 - Spam C2s
69.43.168.232:443
185.187.198.4:8080
46.228.205.245:4143
Epoch 2 - Stealer C2s
46.105.131.69:443
176.31.200.130:8080
104.131.58.132:8080
Current Epoch 2 RSA Public Key
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhALk+KlHgOKXm9eDkWu2yN9lanjwOm6W2
PV0tgr4msNVby2pOJ6S1MZQnQwxl7y6WWzT4kveAQhLmW8JB2M2PDOxZOgVMJH2C
AtkVW1p/P9jNJWVvjK9SmrbLdIeiKNtRfQIDAQAB
Epoch 3 C2s
108.179.216.46:8080
113.52.135.33:7080
138.197.140.163:8080
139.59.242.76:8080
143.95.101.72:8080
148.240.52.172:80
152.168.220.188:80
152.170.220.95:80
159.69.211.211:7080
162.214.27.219:7080
176.58.93.123:80
178.249.187.150:7080
179.62.18.56:443
181.1.37.38:80
181.113.229.139:990
181.165.150.211:143
181.230.126.152:8090
186.10.16.244:53
186.117.174.26:80
186.29.155.101:50000
186.93.167.147:443
189.189.214.1:21
190.10.194.42:8080
190.117.206.153:443
190.13.146.47:443
190.146.81.138:8090
190.171.105.158:7080
190.55.39.215:80
190.55.86.138:8443
190.92.103.7:80
190.96.118.15:443
194.50.163.106:8080
201.113.23.175:443
201.244.125.210:995
203.150.19.63:443
216.154.222.52:7080
216.70.88.55:8080
45.33.1.161:8080
46.32.229.152:8080
5.189.148.98:8080
70.45.30.28:80
78.109.34.178:443
83.110.75.153:8090
83.169.33.157:8080
93.78.205.196:443
94.177.253.126:80
Epoch 3 - Spam C2s
41.185.29.128:8080
94.177.253.126:80
Epoch 3 - Stealer C2s
178.32.255.133:443
198.46.150.196:7080
Current Epoch 3 RSA Public Key
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAM426uN11n2LZDk/JiS93WIWG7fGCQmP
4h5yIJUxJwrjwtGVexCelD2WKrDw9sa/xKwmQKk3b2fUhwnHXjoSpR7pLaDo7pEc
iJB5y6hjbPyrSfL3Fxu74M2SAS0Arj3uAQIDAQAB
Credits and Notes Section
WARNING - Some links may have been taken down shortly after I reported them to URLHaus.abuse.ch
because they rock and report everything to ISPs as it is confirmed to be malware. Additionally,
this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
https://pastebin.com/u/jroosen
NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
I am providing them for your benefit in case you want to parse them to be sure.
What is Epoch 1, Epoch 2 and Epoch 3?
(09/17/19)
With the find of Epoch 3 today that split from Epoch 1, this section will be rewritten to reflect these changes in time.
Community Lists
https://twitter.com/SecSome/status/1176949429707923459?s=20
(sorry if we miss anybody, make sure to send it to @cryptolaemus1 in your tweet and we will try to include it!)
Credits
Combination work of the Cryptolaemus Team - https://paste.cryptolaemus.com/about/ and/or specifically the following:
Doc DL URLs - @devnullnoop, @p5yb34m, @malware_traffic, @dms1899, @Paladin3161
C2 info/RSA Keys - @devnullnoop, @MalwareTechBlog, @lazyactivist192, @VK_Intel, @Paladin3161
Payloads - @devnullnoop, @MalwareTechBlog, @lazyactivist192, @p5yb34m, @malware_traffic, @Paladin3161, @ps66uk
Spam Templates - @devnullnoop
Special thanks to @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and
helping out with this!
Very special thanks to @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project https://github.com/decalage2/ViperMonkey ,
@digitalocean, @mploessel, @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch,
@urlscanio, @BlackLotusLabs, @TrendMicro and @Virustotal for providing services/software no charge to this cause!
Daily Log 09/25/19
General News
Drops Report
Dreambot has been seen dropped on E2 a few times
Email Template Report
Early files featured DOC/PS, later files were DOCX/JSE
PS commands started '-w hidden -e'
Link Regex Report
Waiting for more the next few days IF they come back.
Payloads Report
C2 Report
79 combos on E1
84 combos on E2
46 combos on E3
Closing
TT
Sandbox 09/25/19
E1
https://capesandbox.com/submit/status/305/
E2
https://capesandbox.com/submit/status/312/
E3
https://capesandbox.com/submit/status/311/