Emotet Malware Document links/IOCs for 09/26/19 as of 09/27/19 01:00 BST
Notes and Credits at the bottom. Follow us on Twitter @cryptolaemus1 for more updates.
Document Downloader Links
Epoch 1 Document/Downloader links
<none>
Epoch 2 Document/Downloader links seen for 09/26/19
<none>
Epoch 3 Document/Downloader links
<none>
Payloads per Epoch by Document
Epoch 1 Payloads by Document SHA256 - All Times UTC #### (Newest on top)
Creation Time 2019:09:26 15:55:00 (Attachment Only - Docx based with embedded JSE - Product Notice)
SHA256
f0096ea1b11b64c5c121feed8e16b1a47bbbc13a2d2c79149b1d1616a65eeb35
8b158cb8cefd0d26927d380b3a1a75cf6ac9793887afd2f4045e4ed49f121c2e
https://tamariaclinic.com/blog/po22/
http://a3infra.com/config.charge/92/
https://www.kairod.com/4rvg/fg19/
http://www.weifanhao.com/wp-admin/mm6zz6158/
http://aladilauto.com/wp-admin/o273wu4/
Creation Time 2019:09:26 12:52:00 (Attachment Only - Doc based - Product Notice)
SHA256
0a10c55ba99ce8c5794cb67edbd3cb98e966c555bc603501e96e186bc974cc9d
http://marchekit.com/wp-admin/oaxj1/
http://matteogiovanetti.com/wp-admin/264/
http://fntc-test.xcesslogic.com/wp-content/3b7s9209/
http://m.alahmads.com/wordpress/h5ut582/
http://ejob.magnusideas.com/cgi-bin/i5834/
Creation Time 2019:09:26 06:27:00 (Attachment Only - Doc based - Product Notice)
SHA256
5a8c51d22698e05215e2f3fdc50a14342fb3108acf6bde761c87d9ae2106d5d1
a88780c026c4094e0580a2ab21118b96dab08e00d1935bd6fae2946fd81bdb03
3e390763b85cd1322e1fe528ab15923df480ce1f2dabff373bfc67ed8d0d5aa7
b637cedefc7244a8a84bede6eb7733803744f4ac140ed368da9a64c06e98dc28
2926d350ee2037949c36a19aca959b8404626f09d32bf930cf9b218424f7cf27
d3c733fab28b47b010b46938694b97df9294c12158281d5c6a8069cb4a5a0e2e
b1d366a828f6eb91a08dd023aa98f2b8b9737497eff937e2d169e5a6b6377d25
fb8d06fde7d7477c3901566906ab3cab4be434ac505b88b306dc52bcf6cb3db6
8ce63dc6baa9a80c3913d462bdb19fc1bc1ba635bde1d5a6c26fc5f7cf325ea4
2a078275cdeb69e448bd7cea359ce34c05ab028713357df0b70448dcdb9f8f0c
c19c5960f37853a5f2db86cc749593dd98b124ddd21d39b8ca53c921389a0bd6
http://otc-manila.com/wp-admin/q2zht7567/
http://www.mti.shipindia.com/wp-admin/css/21nd31328/
http://www.wisdomabc.com/css/wm8fu9190/
http://reportingnew.xyz/wordpress/3f0880/
http://metaphysicalhub.com/bkp_08092019/9nvo876799/
SHA256s for Epoch 1 Payload EXEs seen on 09/26/19 #### (Newest on top)
1888e16393bff4ecea8cc68793f5cafe3d32aaf206bb44266c29d199ef15cf9a
ebade0da8418e04def799c9ea3c81afc6cc7ada7a0404e25724b9ee72bbe6308
3dda6ca15ef55f73eb78164b819497d5fe8f807f8c77b6daeeda704b95b19a50
ed19d33a2c1cc249701815cc46f6f115ec78debbd41bc44ad858aeddbd48faa6
a4cb372926d143d7c3776b2e9d268910cc1c0ed02c6fdc5eedd24dcfe0e091a0
2e3404121de339b8bccb31825d2964a9083938a9b73c8d1c5685bc14ce2bcd56
32860d64df3eccf85dc857157b4ffa0255d964b013928ac5f74f9314cc1637cc
fe0b9d56db13769d626731f27db3ce4a0b1994c811de7e34a94c48ddcd1451fe
ee9608a12bca377403c2be7c3693a39df4171f94d940d026aa0f23ca089b2d1d
546e7b011444fa36eaf3217d878bb612cb9fa8f3d83cbcc6b0ad68e9426db30d
c0e381ed7a5e44898f511e4c02103a78a7a85f59c9c85e379c0fda01e8edceb3
7a9779d20ba7b1b631a6bedb938cb606a6f3d15e7a65a1e486ae24b5c3a97587
5641615e71bbd969277e3552c4e528ee8e8ad34a2dc24daf70aa9068b2058ed1
39bc0bf2f73db2da004338c000906d0bd033c24b74ff46f253f69ef8be80d37e
269e7a7d525635c1c0a3f2c593908061274b1549bf7cc5102fe09aa6aa333ea0
4ec6c906136f1a09296e11da7f2b060fe3d8a7edd6057727fef3cf2c9ad4aff5
1816301ee3abb9399da0572b2847b2ba7be953ff5d19efa786523d1b150f50fc
b9322b3174ff0358b88c15753b24ba6372ec3a4f13386a11eee1275996318e45
f4b75365e3db0bc7ea3625dd44df600a991206226c53a1cbf3cfbc988beb6ec9
ffdfdad52b385706d66931481a494b965f945e22254f4da81917f1361b6770b2
8d8aee35839e2a90838eb88fa036f1b40c980c7f4de68d062d7444086ae00a30
9e3ebb3bc3bd4c1f928363c4726bc501164631707c5012ded854cc4246ab904f
09762794566b1bc5235d1ceac8e54a68d9aa4f3660bbea684ac4c664ad7468e4
ab766d0a654e4fe4981ae0b1b19440954c2a111afe60e74feb9ceec3207576fe
b743a371eb02ed880e1bf3c339102073431809561cd064ffbacead2aaa1839af
e5e4160b9055baa38b5bf269eb094486f73f0aae2f7955e20d0c257f3b75b397
3b5b081b3df9cb30a15d50f32b8334f58bbf5d03c9dca7e9d09c13d830f4f16a
af7e70668bbaf23f9eed502d5bbc8ee21d9247718f3aa330d0d46a7bdb352dc4
f1f9056a3d3d5b2ce248d523085983b63e9c16daf9903e9dd19bddfe5bda631b
1f68dd30a000ee8d661720e29d6b49f156f0f030504925c988252649452a36c4
1e57faafff2852df7731abe4635907beea1c19197896722bb5fd3ddf420eeed5
da5cfd71594d026873f928dfed63857520a43a003eef1e97196cfba545a9c67b
b7b41b8c8b301650618352f37cd2e36f6f514775b2eae317cb0963ae07d2a3aa
162c4619adce6bbf4f66749eb1a49334326385aa4b4e495f5c5d106d622428dc
18f86b57fb3850b073fccd07773aff29931a564c74423aad8228da5d79b10e7a
d2b515c020aa7eb699f5f9c90f5fb65ada8afb44ec4a4dcdc56b3677c778a36e
0750bd46ed10c1e0e3795542bff05abee77f626695d1fc07b48407b0b5dec4b2
25735fe866b17f55f9a59986d8f9f47d65e72901dd5f318a20b4860d9a111149
5e9f660d19ebbc760b4ef1a1932e9c0d95a77bac890ae8c26a032f2ced1d3888
360be53006abea2ac1e1104c37bf8e692034879f6501a70cddc9146bfefc03c9
712e7aea13ebd3f9ab634f60bfb1ee7fc913f1fd9be37263378e71cf62830d83
d48519db0306c9e76a681e2b2f5287d03c275e616bfb303b79ac8084a40a1561
06d9070b16a33fae8494f4121a558c2f7095436190bf6238eb26caa15a735c2b
c410aa559347b494182f4dab60227855318e34a7360a4a3af7869ef78fad49c0
4b1257a02a96c2696117b9e71af8d5644449aed26a00c7f1e3436cdb521caf05
f122c60b7ef20ee0df019e96fb25bcdc77cc59b753e2d364e986d431b2b93635
9ff9c9401676738bc5f83213c8ae9854de8ff86eecd8256c382d3e88f3d9522a
b032752b1ff32a95de9d484bd7cd1cf0646151a2e2de67ab750dcf95c8051a4e
e6dac0839b5579a0030ce9feea5c53d9890ca3ab528050258e4a8dc43152cf4a
2a908e531a8495db286cd289d70ac02d30fcfd7974014ff89c134e658d5d0b2c
aeab9f144611041f137788ad098f54e4f546c41d42f5612899b52bc2de7c28ca
eeab70d7ea00ba627a97efbd4fa12c58b8402d23313af37a3777e8a4c2befe4f
da6c9e2bccdaeb46361ca50d8667ad62d3d346d888dff1ba0a21961661cb732a
49bd6c9d8f943534e100a990255b720acce1d4fd756551c1a2564406fd372207
6726183955f34988819f3679e882a9e95840cdd10fb95b72047e6e82e1eaac96
b27d15baae4afa4b24fa4a4924705019424861dede276cd6ac51ccc8c38c7055
736d783434e14563a12ace1098e52213c008b4f2036fc117e22885d051ae437e
284c1a67845f56300d0600c849e5a44c854a67f7383a07635cfeff9c24a5a6ed
6d8efa77ccc79c4778a9f472fc091c0efa3f9f7225f37a88882d1ea608106f7d
380b341c039236d99a74f300ae111e724082652653a0c98149b07d102f78fdf8
6e7fc13956c1400085d4bac7aa12650c692edc354dceaf44f40848273081964e
e01698596fd1c4467f6817e6541d61c8f2f0b0b37e4625052059f5d4505bf047
34222f81e9d8bd85c6b6e66b94da2d1e118f29d206b12b323abc81ad94bd55a0
85e57fc1887bd3284f6cc13877fb317adfd2d590c1cd2a69f570d27fb32d4b2b
Epoch 2 Payloads by Document SHA256 - All Times UTC #### (Newest on top)
Creation Time 2019:09:26 15:54:00 (Attachment Only - Docx based with embedded JSE - Product Notice)
SHA256
f634b4c63741cbe7dd7d698e628e68fba6f1947f553f3c37318fdc9597b57d89
5f2b361af4847932d8aeef9be3ffb69334d69601f11fd3889a7b79e40d3b4572
4de2d974e1bb36387960ff24700dd4f6b1a2af2a2d6e6ee8c2f5e53682e51153
ba8908020763cf8035373488fbe972c6f25217281c298299369eac05d89ed63c
9346c304b99ed3db7027911e01eebcf9ae2c0794048fb3704f9d07fe34d4f5ad
7b6385257f2b06d7f8098f3f3b87b9b141d8869f2419c27028a50c6585f60216
02c51604604a7faae0b82aab08d9e3693525454be210b73e76294b4594762c78
https://gg4.devs-group.com/amdcwdp/YPRqWcJFaE/
https://tlbplanning.org/wp-admin/KqrBgDoSq/
https://eternalsea.cn/qfpka0q/tPeJNBsE/
https://banglaay.com/wp-includes/VRVWLAbrjy/
https://www.shizizmt.com/jr/633mjf4w8_54d4cu-209964833/
Creation Time 2019:09:26 14:00:00 (Attachment Only - Doc based - Product Notice)
SHA256
ef10a258b3543d806fe348db332e1a95bf002dd91d475c71752bfc91bc512309
82966fd4419fb8966bee0a9a245f861961d54df4afb1744ffb78ac6bb71e8ddb
http://aplikasi.bangunrumah-kita.com/b8kee0mj/0m3l_clo7kkcub-76/
http://altaikawater.com/wp-admin/4jh8s_sxm6m3eec-441/
http://antoinegimenez.com/css/hUgHbaEf/
http://auto-moto-ecole-vauban.fr/wp-admin/ww42_lwln3c-1236328628/
http://avant2017.amsi-formations.com/prog/skzHGQddV/
Creation Time 2019:09:26 09:19:00 (Attachment Only - Doc based - Product Notice)
SHA256
0db5f3b6fc6e6bbff2e1642a400e2633fae39063d2d5bea8c6370f42424907fc
b678262683ced8034587e71eb0d9f5b7a2660adf1516bacc7cee6580502be615
df69ec86b23eb2254fc87a692d86e2c67dc3471bf9a24b8a1239eea1bfd721e5
7c7930eaa3318ca6b9650124dd7fe971484ed29fab876516eb66482840e2e936
http://cheaptrainticket.cogbiz-infotech.com/cgi-bin/9vsx4g6l_p5x29co-43731795/
http://gsfcloud.com/fir/qx88b0qgfq_tdpfmobexf-881829012/
http://fabiogutierrez.com.br/loja/bEZYtLkJGj/
http://gruasasuservicio.com/cgi-bin/YdFmLIEsIB/
http://itf.palemiya.com/wp-includes/IIswblOCV/
Creation Time 2019:09:26 06:12:00 (Attachment Only - Doc based - Product Notice)
SHA256
c2f7c191751cae74f2364b84491412c1dfc039cacd19f530e9cf171ce92927e7
http://moda.9l.pl/calendar/HugncgqxUR/
http://sweetmagazine.org/wp-admin/z0jxuhjao_n6me674y8i-3862/
http://precisieving.com/wp-admin/db090yl5_bwwmv-86392/
http://ucomechina.com/wp-content/aVMBsBCy/
http://your-event.es/mailin/OgXcBNiq/
SHA256s for Epoch 2 Payload EXEs seen on 09/26/19 #### (Newest on top)
bbbe4f47d5b0d5a296023fd8ac55237d51865b71d4ba757bf893b563131ccadd
f0a41a3deb9233d95324098324484cf527113ac6e07d9535af577d4329ccfde6
614e3036ffc1271c0fb765b5a47ae41198e20157eb8f712bb9e9285f4dc11c55
88341ac6b98e376010ff49ec59b64a4115ccc04becd49747c8911e34008222f7
1acb5d5b29d5e7d5a229ca92bbe64c8493b307777a22a867510464a7965af6ed
3e7a7c3a2079be32a2e6a2629b4f3aee45f321f77a0bf0dfb9f83861bf3d7a6a
683a17d8cff25be47700c7eb931113b45bc5245c6482f7e6b4cda4916e50d294
9734a6bca68749aa3e54a32fbff9619db8875553a0839f9b57dd54df013712f4
2c220f98ed0039cd615ba05855861a09ff391502de244275700f76f9b4fba56f
7798e08c92d42f9f93c3247df402c7937902c2b6890cb2bb99e1ab6b2794d046
aa05dff45ed5901f173aa35ed57dd05c6d35366297577724d86cc990f8e83baa
430674a9076714a1afc02aefe9b9185e383774ad3f67d4d3dd5df553acd54088
3166c20398e8b0630feb70fdae280376ea2868742a46513739f946648daea6d7
de92694a4b97eb8e626708caf23d2a47dd2e8e6465ba7d293dc614eeeb942a8b
e7f4bfb59f5f0f49b06708d9ab4629d43973ade4f321cd4b558aad32a6fa2b0e
fa5b713a1b663788a7008f73b147cc512fbb329b598f9b50221ec207fd42f512
f9628302d27b05529ede9c1a7ee272adcbc96ff9046a7dcd6ac653c280fd8021
1cfbe0bc3968d51e0cfca9ba2537630072437cebb65747412fb3518ced0bfc16
3be0ea13e8d2d2b51bc9b6d93d4f40ab8ea3a9b779e1977d4b5bbea42dc4bda2
0b3977cd19a396e9376f752e1b77c5a9509ec31aee179ba56f6b2f819eceb9f3
a63b61081d410f3665c6737cc793cb47596ae3fd6c0575cebb015f4679d2eb69
c1835e6e2ca82bbf12739b4587a3d2e2b9fbb59f48d41e8263fe2a4ccb7d0c2f
35650eb7416c51ab0dc838708c2fe8d749380d86f9949fe93c44452c83e6ae6a
8b3dd8f078c083edcc70ea3d2f90b3bec88b2e3e1e1542cfeb4feda6f0419459
2ece2644279aca92a5d1669aabfa7c7b035bb5eb823dfc108cbd3eb950363250
5e82997acc74bc36a5a5cb687907e4cd30ec25990f1fc84f1decc68511821653
99aea542ae433e3d27d0b89c30c2df7f692481cf2a92983470366bbf042302fd
ef7058035e83633c8e23aa4cbbfb945b8bd6757071051fdb4f7ac1402906da2c
d5569118d2029285932c64ce3efdd3500f03fe1a9a11f1eb290ae518b6ad48db
486fe8854ae5da4c7858bb1defbb57d28b60e46e69110aa922d34c90a8028a45
655e07855df711ae45c48f19f2cb1336f01bd052ee2b565adeed18de1f11c17f
ac565ba7227d12edeabc8426d974aaaa561e905265e25a7d5304bb70f876e50a
6ec56e28276012f14fb9731a34e0e08d214f16c65eae3641fbe6d42717817bde
045ce2c56cee0583e23eb753ececaf582c5910bc47414f020e1bf979ce4299b2
02849c17dd39c64da4acbf1ef0bd6597b2ebe36d4417e9798d89bec268ee8d40
7caf8a50625f60f94b269743546783a8bb1eda006492f4a13790647a7a3be665
5b6cdf9e4255f5c0393477cb565f696913148818d9d3d6afce8fb7169730dfcb
f348ba09ec5f558012bec84241e8dd3f401bec617bd912265711c3d448b15585
41a6ab2fedde683bf52cb1c131165cc2b272f487728ee4a513f6ff23f77ba9a4
9a9b52e3f3e33b25dcf21962e4682eac3a05c886bfa3e9c98af16c80cd380be7
1bbd65149ff1b2ca81ff0e7add4b83b5856f54c0a80baeba68f8e97d8acb2732
38f13a37b71794c7025e7e16c445f3e9bba384a2df67d10801fc645bb501809f
7bdb7abe525c0f9ea07919080fd3f4f932658bb154e785297c09903f3a20dddf
c008631d3b4c9a0904eca147c958c8e20a84d8b766586ef39a58c0036c11357f
af3a195b6d48e2446eb09ca02dac538efb3272580a178e8101c64e51ec5aa118
08532550d9c30513d3e5da3965c9483847ad3f4a6139eaef2f905ec3be0161d8
39ff3735c3d7ddaa3ab9ef6d0a9cd1f3a1090abccb6868cae06d23acfced4256
4b68d255c961fb91e0188eee86527c2f6a0a3e5c15dca8e48555a855026f941d
b2fb6a1ed37663965e1274e5bf4c6fd1a3d0a4cc3b0b269571f74e6b537a4b53
e95514fbc8355fa4391c581e12c648f62e18254cad4424a6422ee084b09b571c
bc459d9dc0b50ae8711ae7a5ccc44ee171e5d8f5a106ecc62497be7b53e50282
2ea1e0ad8c35c004f2e7613baabdc20bc9cc540945174c0ce94268b9b3c4c34a
af52cfd9273154600618fc968936324caffb55cd894a6cd46a477520e9a8f5cc
81a85bf5cf1e8c3d37a99bdaed484e23090148becaf21fc3f5333c8a7a67ff08
9fded043df87819dd9abad7469280a2227ea7fbd04dba24a04ac64a738e3747d
6f5f721699eaa612a68ce6cc62206acb43a1cdb4f8d6f6f5bc23e9f0664d3475
cc2c31275b30872adfcea0a548e57fbdd16a3372e180666f57198d82f51e04f3
7752e4a08d0034275c0b0b3a816552c59b652f59af9c0e74278223094713e9bd
294e8aecfd47535a36926d855612ef3b4abee6df677b6fcb03d84403a13fd500
80ff5bc7dd7ae7b0710f685eeb43004b42b58df667e47861a09a70fac7459dc9
dd138c7abfdde9b2cade9e6b6c1511980f78c4ad3b1bb39a63199a37c7d2e0e5
c68eabd43b8f840c9f3604a7e0cfeddf11893371e9d8c26656f49906c19a01c2
f5da63706ebe138aa0eef9acf55df75e6f0fd8f6f34d08e83bb0c4501ea58875
Epoch 3 Payloads by Document SHA256 - All Times UTC #### (Newest on top)
Creation Time 2019:09:26 15:55:00 (Attachment Only - Docx based with embedded JSE - Product Notice)
SHA256
9de952300700331fb7006d8fc640727eedb5c71acae7d89aa2186dba11c7460a
http://lensakaca21.com/wp-admin/dBfxiIyp/
http://ithync.net/wp-includes/tyyYyGS/
http://blog.coopealbaterense.es/wp-admin/dnf3-nl9qg-869655/
http://lumiinx.eu/inc/prevents/addtosavedlist/nStxFTJB/
http://lupusvibes.ca/wp-admin/jnmvgio-dsl-6986784805/
Creation Time 2019:09:26 14:40:00 (Attachment Only - Doc based - Product Notice)
SHA256
d6c6b31d35bc30a2021d56b305120446ed34d468fbc596dff140566002cf5249
http://cielouvert.fr/syvhqw1/nkch-nzf59az7e-99571/
http://demo.magerase.co.uk/wp-admin/wKpBbWmF/
https://www.accountingtoindia.com/fhsao/txsp1-fcy9gfh-11178860/
https://diawan.club/wordpress/ZnbSfWu/
http://lelecars.it/wp-admin/khrufjms-sijs5jz1e3-532825/
Creation Time 2019:09:26 06:07:00 (Attachment Only - Doc based - Product Notice)
SHA256
c5cc7866dbd17eb139626de5a1828752006ba5208097cc028f4670f32d8278f0
80a20cc187063ebfd0d9924d72955f4b0105e13ce7e7cb41619aa49834f5ab26
6029ffdf62859bc35406bf390b6f9801275157a9b9c8fd54793805b676c50966
f859941067b8afb18db0f721d1d3e21e79d88524f31fafe3f77f3458b45c8a56
http://notiwebs.xyz/wordpress/vBfQVN/
http://ocstudio.tv/wp-admin/qWhNBtEM/
http://dulich.goasiatravel.com/wp-admin/mCXZnnARx/
https://www.hellotech.io/fivestar/vHYxCPeDd/
http://hospitalitysource.co.uk/test/lohXuP/
Creation Time 2019:09:25 21:00:00 (Attachment Only - Docx based with embedded JSE - Product Notice)
SHA256
3f10d2654bd880208aa9f009c1c2ee1f70dde39c1249f90a9e895e355da99f76
0b4754bc946c505292d8378913653756e795ec572c567687d69414bf3cd286a4
http://mobasara13.zahidulzibon.com/hyi/iGIuWmPa/
http://munishjindal.com/wp-content/tIZtULuZv/
http://www.cowabungaindustries.com/cgi-bin/hv3g9x-hkzj-9002618725/
http://sgiff.com/css/ixuc3k-wus7v022j-4995897081/
http://thesafeplace.net/wp/AsHrwMT/
SHA256s for Epoch 3 Payload EXEs seen on 09/26/19 #### (Newest on top)
f8cb93529a652e31d3e35fb8d98c0cbf7bc874196a5ff3b17de38df2c608c1d0
1470d81c83fc1f4f5b2f22b52645b0bf61cbde230c9d2b65c7c9d95b529fe21e
6f801529a1f41596a5038de4e7c1fe649cfa6fe6798b5f5045a411f363e17166
9d3bf6a05724997c17d8ab054633c7630e9f674c75d3186cd6db3bf5881ce47d
161f919935d3c573c41128632a49ea8118eeb00a584f63c14931ad4ce64119a2
ccaccf61d9c3be22623bf32ef02844f77e27956c0b02256532da1ad47b4cdbed
0794468f80e0e2aabe9695c26ee4d8c5981f0a8a17675f4447e09ce8526a1f6c
d58d2da17e56c8fe18f82587fb026f64627450a9a8bd44bad895a103ed41ac6e
2a6aaf34e8e66d6eef0162db7116efed17fb67315753f2c7fbd4e6c8b08df435
13e4a4aa1639d57b94c22a224ac3dd040991d9176a2461c987b5500191670a4a
5bf3afa0ac4e1154fca60e7bf20f168e28a0a148401230a2962b6591e4bbcb70
34222f81e9d8bd85c6b6e66b94da2d1e118f29d206b12b323abc81ad94bd55a0
d502444891a15f060a7aa8e2d78eaa35e41346ac02c81ce34eb1aef8597f32be
85e57fc1887bd3284f6cc13877fb317adfd2d590c1cd2a69f570d27fb32d4b2b
6a18b657694be60c27f66046269733dcc0b42b95730bc5551763efe64dc4a5e2
C2’s Per Epoch
Epoch 1 C2s
109.104.79.48:8080
109.169.86.13:8080
114.79.134.129:443
119.159.150.176:443
119.59.124.163:8080
119.92.51.40:8080
123.168.4.66:22
138.68.106.4:7080
139.5.237.27:443
149.62.173.247:8080
151.80.142.33:80
159.203.204.126:8080
170.84.133.72:7080
170.84.133.72:8443
178.249.187.151:8080
178.79.163.131:8080
179.62.18.56:443
181.123.0.125:80
181.167.53.209:80
181.188.149.134:80
181.230.212.74:80
181.36.42.205:443
183.82.97.25:80
184.69.214.94:20
185.187.198.10:8080
185.86.148.222:8080
186.0.95.172:80
186.83.133.253:8080
187.155.233.46:443
187.188.166.192:80
187.199.158.226:443
187.199.158.226:7080
187.235.239.214:8080
189.166.68.89:443
189.187.141.15:50000
190.1.37.125:443
190.104.253.234:990
190.117.206.153:443
190.158.19.141:80
190.200.64.180:7080
190.221.50.210:8080
190.230.60.129:80
190.230.60.129:8080
190.38.14.52:80
200.21.90.6:8080
200.57.102.71:8443
200.58.171.51:80
201.163.74.202:443
201.184.65.229:80
201.214.74.71:80
203.25.159.3:8080
211.229.116.97:80
212.71.237.140:8080
217.113.27.158:443
217.199.160.224:8080
217.199.175.216:8080
23.92.22.225:7080
46.163.144.228:80
46.21.105.59:8080
46.28.111.142:7080
46.29.183.211:8080
46.41.134.46:8080
46.41.151.103:8080
5.196.35.138:7080
5.77.13.70:80
50.28.51.143:8080
51.15.8.192:8080
62.75.143.100:7080
62.75.160.178:8080
71.244.60.230:7080
71.244.60.231:7080
77.245.101.134:8080
77.55.211.77:8080
79.143.182.254:8080
80.240.141.141:7080
80.85.87.122:8080
81.169.140.14:443
86.42.166.147:80
87.106.77.40:7080
88.250.223.190:8080
89.188.124.145:443
91.205.215.57:7080
91.83.93.124:7080
Epoch 1 - Spam C2s
5.45.108.146:8080
45.55.82.2:8080
104.236.185.25:8080
Epoch 1 - Stealer C2s
66.228.32.31:443
198.50.170.27:8080
216.98.148.157:8080
Current Epoch 1 RSA Public Key
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOzoTryw1r9RxRJPFKalO4+q7JaDZWSB
KZlEc22H6ITuE06tvJspue42TF1yk8xN+1bqW++QeV6Clm1uRswA/qoao/6p4eN0
h4zIO8PEaJ0C/9EO4cx9yfRLlVpjdEkP0QIDAQAB
Epoch 2 C2s
101.187.237.217:20
103.255.150.84:80
103.97.95.218:143
104.131.11.150:8080
104.236.246.93:8080
119.15.153.237:80
136.243.177.26:8080
138.201.140.110:8080
142.44.162.209:8080
144.139.247.220:80
149.167.86.174:990
149.202.153.252:8080
159.65.25.128:8080
162.144.47.94:7080
169.239.182.217:8080
173.212.203.26:8080
177.246.193.139:20
178.254.6.27:7080
178.79.161.166:443
179.32.19.219:22
180.183.112.185:21
181.143.194.138:443
181.143.53.227:21
182.176.106.43:995
182.176.132.213:8090
182.76.6.2:8080
185.142.236.163:443
185.94.252.13:443
186.4.172.5:443
186.4.172.5:8080
186.75.241.230:80
187.144.189.58:50000
188.166.253.46:8080
189.209.217.49:80
190.106.97.230:443
190.108.228.48:990
190.145.67.134:8090
190.18.146.70:80
190.186.203.55:80
190.211.207.11:443
190.226.44.20:21
190.228.72.244:53
190.53.135.159:21
199.19.237.192:80
200.21.90.6:80
200.71.148.138:8080
201.251.43.69:8080
206.189.98.125:8080
211.63.71.72:8080
212.129.24.82:8080
212.71.234.16:8080
217.145.83.44:80
217.160.182.191:8080
222.214.218.192:8080
24.51.106.145:21
27.147.163.188:8080
31.12.67.62:7080
31.172.240.91:8080
37.157.194.134:443
41.220.119.246:80
45.123.3.54:443
45.33.49.124:443
46.105.131.87:80
47.41.213.2:22
5.196.74.210:8080
62.75.187.192:8080
63.142.253.122:8080
77.237.248.136:8080
78.188.105.159:21
78.24.219.147:8080
80.11.163.139:21
80.11.163.139:443
83.136.245.190:8080
85.104.59.244:20
85.106.1.166:50000
86.98.25.30:53
87.106.136.232:8080
87.106.139.101:8080
87.230.19.21:8080
88.156.97.210:80
88.247.163.44:80
91.205.215.66:8080
92.222.125.16:7080
92.222.216.44:8080
94.205.247.10:80
95.128.43.213:8080
Epoch 2 - Spam C2s
69.43.168.232:443
185.187.198.4:8080
46.228.205.245:4143
Epoch 2 - Stealer C2s
46.105.131.69:443
176.31.200.130:8080
104.131.58.132:8080
Current Epoch 2 RSA Public Key
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhALk+KlHgOKXm9eDkWu2yN9lanjwOm6W2
PV0tgr4msNVby2pOJ6S1MZQnQwxl7y6WWzT4kveAQhLmW8JB2M2PDOxZOgVMJH2C
AtkVW1p/P9jNJWVvjK9SmrbLdIeiKNtRfQIDAQAB
Epoch 3 C2s
108.179.216.46:8080
110.36.234.146:80
113.52.135.33:7080
115.88.70.226:7080
125.99.61.162:7080
138.197.140.163:8080
139.59.242.76:8080
143.95.101.72:8080
148.240.52.172:80
152.170.220.95:80
162.214.27.219:7080
162.241.232.82:8080
176.58.93.123:80
178.249.187.150:7080
179.62.18.56:443
181.113.229.139:990
181.165.150.211:143
181.230.126.152:8090
181.55.171.237:8080
186.10.16.244:53
186.117.174.26:80
186.29.155.101:50000
186.93.167.147:443
190.117.206.153:443
190.13.146.47:443
190.55.39.215:80
190.55.86.138:8443
190.92.103.7:80
190.96.118.15:443
194.50.163.106:8080
197.211.244.6:443
200.114.134.8:20
201.244.125.210:995
203.150.19.63:443
216.154.222.52:7080
216.70.88.55:8080
41.60.202.26:22
45.33.1.161:8080
46.32.229.152:8080
5.189.148.98:8080
51.38.134.203:8080
70.45.30.28:80
78.109.34.178:443
83.169.33.157:8080
93.78.205.196:443
94.177.253.126:80
Epoch 3 - Spam C2s
162.144.47.94:7080
41.185.29.128:8080
Epoch 3 - Stealer C2s
178.32.255.133:443
198.46.150.196:7080
Current Epoch 3 RSA Public Key
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAM426uN11n2LZDk/JiS93WIWG7fGCQmP
4h5yIJUxJwrjwtGVexCelD2WKrDw9sa/xKwmQKk3b2fUhwnHXjoSpR7pLaDo7pEc
iJB5y6hjbPyrSfL3Fxu74M2SAS0Arj3uAQIDAQAB
Credits and Notes Section
WARNING - Some links may have been taken down shortly after I reported them to URLHaus.abuse.ch
because they rock and report everything to ISPs as it is confirmed to be malware. Additionally,
this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
https://pastebin.com/u/jroosen
NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
I am providing them for your benefit in case you want to parse them to be sure.
What is Epoch 1, Epoch 2 and Epoch 3?
(09/17/19)
With the find of Epoch 3 today that split from Epoch 1, this section will be rewritten to reflect these changes in time.
Community Lists
https://twitter.com/p5yb34m/status/1177303193207787520?s=20
https://twitter.com/Paladin3161/status/1177199688220463107?s=20
https://twitter.com/Paladin3161/status/1177199461132460033?s=20
https://twitter.com/executemalware/status/1177365782914842626?s=20
(sorry if we miss anybody, make sure to send it to @cryptolaemus1 in your tweet and we will try to include it!)
Credits
Combination work of the Cryptolaemus Team - https://paste.cryptolaemus.com/about/ and/or specifically the following:
Doc DL URLs - @devnullnoop, @p5yb34m, @malware_traffic, @dms1899, @Paladin3161
C2 info/RSA Keys - @devnullnoop, @MalwareTechBlog, @lazyactivist192, @VK_Intel, @Paladin3161
Payloads - @devnullnoop, @MalwareTechBlog, @lazyactivist192, @p5yb34m, @malware_traffic, @Paladin3161, @ps66uk
Spam Templates - @devnullnoop
Special thanks to @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and
helping out with this!
Very special thanks to @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project https://github.com/decalage2/ViperMonkey ,
@digitalocean, @mploessel, @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch,
@urlscanio, @BlackLotusLabs, @TrendMicro and @Virustotal for providing services/software no charge to this cause!
Daily Log 09/26/19
General News
urlhaus emotet/trickbot tags
https://twitter.com/malware_traffic/status/1177280320049168384?s=20
ryuk/emotet (?) - not expected behaviour...
https://twitter.com/AltShiftPrtScn/status/1177314291126546435?s=20
Drops Report
Trickbot
https://twitter.com/D00RT_RM/status/1177185968283115520?s=20
https://twitter.com/Artilllerie/status/1177258086085607425?s=20
Ursnif
https://twitter.com/D00RT_RM/status/1177364286479511552?s=20
Email Template Report
All DOC had "Product Notice" template
Early files featured DOC/PS, later files were DOCX/JSE
Link Regex Report
Waiting for more the next few days IF they come back.
Payloads Report
E1 - few morning updates, ~17:00 UTC began update every 5 min with 474kb EXE
E2 - few morning updates, ~17:00 UTC began update every 5 min with 474kb EXE
E3 - few morning updates, ~23:00 UTC began update every 5 min with 474kb EXE
C2 Report
83 combos on E1
86 combos on E2
46 combos on E3
Closing
TT
Sandbox 09/26/19
E1
https://capesandbox.com/submit/status/438/
E2
https://capesandbox.com/submit/status/447/
E3
https://capesandbox.com/submit/status/449/