Daily Emotet IoCs and Notes for 10/01/19

Emotet Malware Document links/IOCs for 10/01/19 as of 10/02/19 01:00 BST

Notes and Credits at the bottom. Follow us on Twitter @cryptolaemus1 for more updates.

<none>
https://inokim.kz/wp-includes/680840867637/dsp4gwd8oeenkpjxiuwzir_wgy874aiag-55035735/
https://www.merkmodeonline.nl/wp-content/YkGmCpTQdAzZFHBHPdZwks/
http://incipepharma.com/cgi-bin/Pages/kjmx71koxjcuq81_vzaup-2851437876744/
https://xn--karins-schnelle-kche-5ec.de/wp-admin/DOC/2pbdlf27_ug4vogcjdv-08893867/
http://pressplay.com.br/marketplace/Document/fqa082y39s0hnxinxsbqv4rhnz8f_2ptkito-60895484550/
http://www.lotushairandbeauty.com/wp-content/Document/576psp571b0u7z0jau3w42_3uyd5niiy6-1559805363/
https://encplaza.com/wp-admin/ZPQB39LFTKRBW/fvq6oqh2unuqj92r9nx09cgs_6vd0t8y7c-730172858357261/
https://culturerings.com/ulmgdj/Document/NyXkNGvSeeDiXHxJ/
https://atr.it/wp-admin/DOC/92t3wjpap5lm_tmwytv16hr-56648160957185/
https://traveltovietnam.co/wp-includes/436241220096/LLfJUUypOmP/
https://points-of-you.com.mx/wp-admin/Pages/MtVwiCwiyHu/
https://culturalmastery.com/assessment-1/Document/z4e190r6mvvlcycqslzwvgqshy_tvyzanv-00403592126/
http://readysolutions.com.mx/PDF/INC/UxFNBKuLwfk/
https://loveafrofoods.com/tmp/ACSfLzehllAKWpgiEP/
http://sociallitemedia.ca/cvjrwuyz/Document/cxx6vhnoglgb5_awzumlc-6531093027/
http://www.iltempiodivaleria.it/c0nflg1/lm/KUboHZHVMsEuhXSqUFxC/
http://laborlullabies.com/wp-includes/Scan/hBlwCTaWZdWyiwhjfl/
http://www.ilahiassociates.com/wp-admin/ILsSRsvJfS/
http://visitarians.com/wp-content/QMXmzdVWziDhCfG/
https://reezphotography.com/pgvbdbt/JvUmZOcjkyiR/
http://www.lightvalleyprune.com/wp-content/esp/rroLTzGpXFvQNroukDVqDbkvTLDH/
http://www.mbkvisionent.com/blogs/I1Y2I892KEHZR2/jp2q3wz04g8_ptuxpenha-86676013498002/
http://liveinvented.com/wp-admin/DOC/jingykiztwz9q8mx2tp_xpgou8ygmw-5873940304/
https://oliverfps.com/framework.gentle/sites/tKDAzwcywXGrTeCrGeCyhK/
<none>

Payloads per Epoch by Document

Epoch 1 Payloads by Document SHA256 - All Times UTC #### (Newest on top)

Creation Time	2019:10:01 14:24:00	(Attachment Only - Doc based - Activation Wizard)
SHA256
485e00ae2d2b09f14137bbd0d2ee49a34858a7948ad3adbe8f1b3cb0ec0836e1
86bf9a80aeb861d744b4b22591d18c28b086dd694cf10538d52b683c3dca674e
b242b20842d8fe107c6f4e754b3338148283a5a149d39acac32278afcb3d6499
a0e604318d169bbd6e20786daf5a0406540749c87f6f4b8f2a337fa2cae93f80
18e26420125e04f69c0ccf39f784f2ee4e9aaf794d473024eac1f711378f2f2d
c0501b9521c57f7de7dedeac786f12feee4d77d955549bcf51f021bbf47f34c8
c37e728d1db9b577dbeb159ea59406654fdfa8b89193ecb939657cbebfc70073
ed8f9505ccc23c7bb7a44b116b405b8e4961715df561903e57647e90115a55f1
3b642bc6d06b12fe3ec80886f67c9074276c1a340caa95d399c83003d2475191
cc5eccc383fa12ad15869dd513bc748acdc42e31f0864a3c34724b153f32d4df
80311274dfa9d1e09ccc37ee0a74aaf7274146847d4ad8b2ca319500be31fe14
67f7e2e050cabb339edbf16ab65420c2278197363b5a1403adec90fd4ec6ebc0

http://sangsnagissue.net/wp-admin/3vp5/
https://www.reposesionbancaria.com/wp-content/plugins/9f342/
http://devotionalline.com/wp-content/2uet0lo44207/
https://www.pinnacleclinic.com/others/9z7paz795/
https://riversidehoanghuy.com/cgi-bin/gc005/


Creation Time	2019:10:01 06:43:00	(Attachment Only - Doc based - Product Notice)
SHA256
78229788e7498e1348966bc2eee638eddad4f932fd446f27bd183e35cc5f9806
43b5b352728eb4c5bf33fb11c1019ef41dcd664b30a3e92f9c05c18bf71c6a5f
7094cfcaa66122f7bd7efc1ea06715b08c128dbe34a9c26c1c936f99daa9cf95
b2250d2d97ebaccb2493b18ae6f220cb3541cda2c7409ccdc5f15eafc2c75988
db700503425dc9afbcfe5e443729207598987571875aa16ed87a74a270e43648
9631bd82a28d6288b2bf6cbd6914e23e3fe2b11700f5fbe0d04bed3ef45e0847
11fb7351e6605eca5c8aa32a82bd261ad4e4c6612fea4f92e5391c077af59fe6
95d930e1197814cd990fa1c63964d6dde2ec303631d0ba66ba223ea8878e2a72
6719280648cccfab854f50cc8299fdc407b6938081353942798471fded839f5e
95bc8e299d2a5b84eb51416ed094e094d6fb2463737e3fa64f03dc602189f456
11568a35b2ed60e1ec29cd417c78c1611ec4bc81f4c4504d91aafe3ec0a8d924
1715e5d32d6b7977897abc9b5f8479b8fc7ed8fca058b53ac42167984c65d9fb
29aed6cd74d2e6f1aa33da890128e9fab947d0d1115a809b01697785787ccf43
dcc41269089da3df4b0d59369e80f72a92a6fed301416c8e0ecce60881347787
57de3ce5a0060036604ac81166f9bd1b8d3f93d181c1cb5b5a27b703e03540e3
55022dc08d8a53d95b693d98cafae9a0f3ce782fc31326c0cac5103cdf70952b

http://sysmobi.com/wp-admin/k7epo312/
http://panelfiberton.com/wp-admin/f942/
https://transporteselfenix.com/cgi-bin/s2qw2ui7/
https://qirqle.com/wp-includes/zy2f473/
http://aylaspa.com/8yntna/64uc1/

SHA256s for Epoch 1 Payload EXEs seen on 10/01/19 #### (Newest on top)

6d3dc61aa4568b9b1fb8658fe515d24792e736bb587796bab5e91b144a56a400
19e52375e54cabc8bf4aa8c37d6aa5600dcc4d70405e7b44e0a59d937290ef70
4dc7173f5dd9a8bc3a2188d861e5b63d4a88e92c30fec2e569449f3550f29453
30e36700baac32ffeba1c10e904470be88585273f51f942b0fb2346b36b1e13e

Epoch 2 Payloads by Document SHA256 - All Times UTC #### (Newest on top)

Creation Time	2019:10:01 14:34:00	(Attachment Only - Doc based - Activation Wizard)
SHA256
cb31699bcc7f3bdc57d27abe5e7dbf2597888a6d922e0f7047624aa5b47ef1fc
06a755d67ca9ba8dfc09c9790e260042e007eb0a4e713b39df8001511dea32fe
5a7b07bd8d2e703b3c6ce744873a4425aa66c0d2101f55c27e66290d3fdf4c9e
d246fb98086c1ddeb6245d69631ac811d769e3763e1e899a6995f44021bea985
da3e9337104b07232466c64bf3a648e443a320811286319419698c6d4a1dcc8f
b67bdb8adb8a4d5b958db9ced3cbf329f27a4eafd7a90cf7aa54906036e6c0b4
cc9c4e6d36417d2eb11389b389170d9edd078f50669eb1a02c7ecde32d0a96b4
c6cabd3f73c71b312e36cc3933218db46891a66b5c8e7f01a81b5e507bfb3415
eb663e461d4b08023cc3b6d0967f5779660d6afea144a5dd6a1e3f350099c44a
df9079d06cdb5369839ece46da52a59e0848d9f8f5debc54ba3286cf6a7eba32
a8236d9117816a95ee115e479846ca0166a85dadf50702b92244ff9c5daaef50

http://www.frevolalaw.com/cgi-bin/fh4spo_7rkv7a9528-539/
https://arabaresmi.com/wzyp/fGRopmLJLS/
http://www.rugsdecore.com/onsite-services/b0g9uluniw_395sgv22-487/
https://truuhomecare.com/wp-admin/PxhbgbQZlA/
http://www.paraitelengria.com/wp-includes/dAdVsendnZ/


Creation Time	2019:10:01 13:00:00	(Attachment Only - Doc based - Activation Wizard)
SHA256
0f64bdf473780fcd45543a57b47a84979ea705c6232ca33dfb0995f1e847e88c
daf90538c8569cf1e895d49907c2678ddcf7c15e66a417e8a83e3f18dce00036

http://mbaplus.tabuzzco.com/wp-content/auquqMAw/
http://tahsildaran.com/wp-content/vdLYlpGpiT/
http://www.chongnet.cn/wp-includes/o9orhee_2p9rq56uhy-88/
https://junkoutpros.com/rzb89osm/r2vm2me_xfojp3o-5878457/
https://www.turncpd.com/wp-admin/fsGuEWNR/


Creation Time	2019:10:01 06:26:00	(Attachment Only - Doc based - Activation Wizard)
SHA256
ebe9f4bfbe60ae322241dbd9ba7fb07c5f7e448b275b2898d1dfdaec7e44c0b4
5e8551d5c992cb4f4c74b08e4529b9e0bf64fc00d266c0905b2b1c1370ad56c5
a6058a52e97af683487c26e55086f4dfb2f3032506d6b87f9c06cbbd6ba56f87
056baffcd1e88b8928c1dea906292c814352cc4cec7ce48d07d52997a0f85907
dc2cab141c734538b6b879e3abd6c1da56a3b041fb811a5560796204978dd4af
3e5be5b1b9d21b2e2a1d7a9c35c890a38d257a2eeb6a5fad63c3424c781d58ea
22f6ad57544f76e42cc10ff2bed9a41002b174b4d80e6e611143e21817e81032
bdc1eff21d2a64a3d261c7b8b6c42df32028273f0f95f43eecc6c9a6f3a71e2a
a245451a6c03328e82cb1e719b5b1c33e26091bc824a7d75376b4313cfb8da96
8df84095f43546ed62c48d9b197d993a3bb6e5cbebc66d2f6eae30bc85fab905
ce7751f5b0a252778e3a2fad5dd54de5fd59541b0eab0a9ff6ed19de73e26d81
5e4414c426323921262166e90337183ce7fbbe5f4535028b3b480f32fe97bc63
be6758b17d03813d21a4381f9572a0c0a6925b6b672841ba75f7d4f63b555d3b
18e7e105c0aaceaf64f7b9715f049c3cfcdc61040fbd32bf22cf333b6f517f2f
0e5c5c2beca06a88c478b316bbcb35b2027491213b4d9c11cef67788a2607b98
960524a1763575d53b218bc032088828cade80a47e5c320319badd1a8c400326
83afc300a06c2ef743b00f9f92623271d6bf397c5f1432e6a8671729eda4b0c6
5b3afae35da3468bb42f25b4c1fca88a45c4528ccfde8861a126fd79a5906238

http://www.evolutionstaffingllp.com/cgi-bin/onKGotPn/
https://escs-sarl.com/wp-includes/QgLTGAeuk/
http://www.dzinestudio87.co.uk/phpMyAdmin/ng7z_27mcj-6/
http://blog.pokerclassified.com/wp-content/uploads/mlcyrkee6_3i48su-2500/
http://jonerproducoes.com.br/b2bknv/auryUTxmch/

SHA256s for Epoch 2 Payload EXEs seen on 10/01/19 #### (Newest on top)

81a1c73892b82e3cebe4c203280b00e34e4a1a87a28946e778a2b4c589a6365c
82690874bd3b94f1aa345668c5333c8eb231721304ad6143179026b593c018f1
000376a4b234f57ae0f1fb959817486040d7d8d8be1fbcb627e0102147192fc6
2c5fd5b8e10088a6141f37128579c98f363da507b2f6860b61da49e462b89807
1aef857ddb8e30ca7978c224a133222749a0c528caa17135e761a2c25371328d
ce8949e5a1b41b1b1ff2d6d432aef7af6db3c4308b4e58839b9e6958846cd24e
e142a57f84461cad1faea965d00decb6ed53eb65fc884acd52ffede5454d1a4e
d5128c8528eaf67f71aa26c53db2b9035ee95849f03ab991ae9805bf4c07f496
2f2fde0c36731205d5c8139450b3e65c99c4b101632f9e5b359d241bd39bc854
1eda8a1b220b335de0e0dcc4b1c370f063d3bb8179e78e1aa5aa07d97182e50e
9aa956601867b63ba154fec877aeae60e30d89dadb8d23faf45aeaa9a50cd49f
e28a38d8fdd96021b0391fc8a2f0e88da19143a6084ab6a64ff93fdb1d2c9ee2
fe84dbdcefa7c810abd780e0ca47c5bdfaa8c27146b810e2d784d1b00a077aa0
4f525a377c92170b4e0fdb377d84e7046be3fabf13020542889dabfceb3f3290
1d79c23865675ea988e8da616d87729fc029e3da8655a452ec8603c2645ed29c
e8b1a3899ebbf389ed164f068fba192993664525aaa47f892a69cc20255b24e5
105b770d628759cc336447360f96906ad853ef0f4939158ad5debee6115305f7
d3bbdeb702832ee9f63dfbf78acb6228d2d90c0c2eda01c4a13c9d365b267594
20b720978a8986bdbb9279fc10960667abeb5a756835da982e73c8deb8c84bc7
ffcff00a9513b93a8a2cce846b8ef613da71f2e0301091a94041afe937502a6d
cda58fa52f1130df62b6dcedf0361afbb612a68e4fb190f39e03e5f6510bba52
fd18e0f41f1a8f2a4483abeb3f6ffea04acada31c32dde274a1cb9bcc2816a8f
e9dda42ca4393ac2adf0c6bf98884727670febebed06cf81fddedd28cdf9ad68
1478311a278c5c6726c282d425471749ab331e2559eda824c6e962d877cfce8f
aef4ce6524d9b887d042f96ae2a2768e756fed76bc93a75c64a06c1216001cde
6b47614b7b930a23822240c417132ad7a47016b15cf1d69bba945fdc3d7a5f56
395085c36b330196d60f3e8e80aeec80b0731120e9cac9f85a54c0af26ee10c2
08cc2e439e77c636e82a3699e689769353208c11f2728da1a1de0ded3895ac23
15d42ac950041c6e855f9e72cd70db52565eb872864e8bc64ee10452ca36d458
8dca9973aee3016f127232bb84e4203eaf256122172660107f723d2177fb9a0f
3836d288b500af7382156276e0b600e2f63bf7c50ce26b6a9557f7c8fe4ef340
3cebee718bd44f20e3b5c650e3684b3bfe35dd0f8b91d6696404611eb036a89e
c53d09953efcad955ed10b940f37ddeabb352cf809378288c8a9c8f5b13aff6d
dbcfeebbcfdd77633e51be71b15629a2b39952284068a0211b5fa659a1d0db03
e0048b90985ea00ebc2ad148a087bcf250040c43e6750f02c5674c6482c698b8
76a1a2b635a61e7f9096840f3e6d7dca03a61c1cadf8d2216b4d495a578a88dd
ef67d3773b90c4a6c770fb952ad300d60fc602df715ed3a93386bae1d0185d86
cb3b183c4862aa09df6f3416d7ae6fc0310729e49e95f3daf70dd1485b0d6f91
c992f01bd8e46261fadae21eb44089f7b637cc3c682ec3f5d4fba5f3d9d8059d
d7154cc4ba654637cf224e3fe024d834e7c999feea862e33871936fc58acce9e
bb8b229ca4dc1fc27c2fb638d244be26f3df85a8803cdbb9d6da13a55e3b19d9
8fa7da15da727b49cb96dbf830cd01ee9660fa20acfbc5eb3bca733691df6095
6c921e7faf9100863385a8e5c0acb1cc626c704667a86b521981cbde4939edfb
f428e340f8d9a084b54fa7d7e81ccec3d36e3a9147687f5c6049de9fe4ba29d8
186c91311375dc63dfeabeec0d7667a905e09c2d4e79d1e615e7d94992bfdfca
789334234c6bce37b4cbfcdc4b50ec1c6717df7cdc54f2f463b311c81256d6c6
048ddb2b55d76ab1240cc6373740b5c604af5c46e2ba98b51c313e3b67273110
ba1c65d4d2b6e2f5477fb9232eb860a906f631a5d731c0438a1453543dbd28cd
202b4efb40e2766fbdaaa6e225f323303af51affd82ae5e4deb21493d587589e
09085d5a03acf2a4f153cc9f10b997ab989dcd42cb03705a6c54d163689139ff
64c2637b1de44bf8dc0a306c71823325075e9c00f29b8a9500ab133b70a52dd3
2641461a0802030fdf1970d24294cdd08898be90a03909fc766d80ab86ab9584
256230585255dbb722833ed1d5cc56489a8a1221e6220ad1460c0970b9403166
cb213b41868b1da017f9bc26e9fe7d07e464cfec4af84fc37642b7b4bdb5fb7e
a970675c5c9cf87a39fcf49639fca2bcee06eef27e9395247202e7ef39b1b6b2
2b9a1cc93008b7da53938d1c0133f32cf66057216fcb4601e247a0bf60ce3429
0fbcbc73c9f49d6ae42a165b0a172d84c953b7fa48177b2c35673b826b128678
e214983bc85ee2061ade59735dd89f1f7ee2648a16a5064e73ed89480bbc0494
74fc74c910595ea727369b0f8780fb9f70d14ed843d811eeb65777814bbba752
26424ea650e5b69c0f4fab5c00ca91ed9d7b5fa55fb593dda14545528a6da78a
43184f8e912292a65fee52478e8e1f8290156b97ec391fce157a4735d5224d3c
20d7a6aefd5c16937ab6c264aec1b4161e02a047bab4edee6edc2c8e55f22d84
4d8f6f8604669cc02d7c9a9531088a8f93a185b4cd94743eba81d68fc57ac19c
354bb8a6bad8a1dfda9439d8cc102761345ca6c56fe37244308a22eeeb1eba6f
f2cc6d1093848aa4a600acd93a1f423544b5aae11af4c932686ce43e5ae41a56
51437fb435434cc49729b401da3b17d57630756312a226e2d165754a3a77b392
f6a81cfafa95d63f260ac783b81f9d9b642efbeda479dd551a086d3308696603
7d5abaddb608f61a58ff75be08a92ff3f119af6aa2d5569ba564307fa3183b1b
fd0aea483bc1ff120087cc865f0a97caf19121c31f031d0c99c0bc5f27843c78
f3293ee4a63a3ebdc5357fb4af5fdcb2048088f2698c98ec16bf9e649b67b6ac

Epoch 3 Payloads by Document SHA256 - All Times UTC #### (Newest on top)

Creation Time	2019:10:01 15:19:00	(Attachment Only - Doc based - Activation Wizard)
SHA256
bc8d55049b7d87fb28470943bfac7ac9ac3622b1992087cf3459d6a28ad31311
789289e7542fc234acbdd7339597885c634330365e4b8ac2821446f13aad769a
cc1f2acfd79e2181a2ac66c37f7d97e124605ae7492dec26a7dd5e097e026a3a

http://www.n01goalkeeper.com/wp-content/kwwg-06b-09/
http://themilkconcept.com/cgi-bin/gXLEOznm/
http://littlepoppetschildcare.com/wp-content/d0u884f-z1cajbo9s-36678/
http://www.energysensorium.com/33b52n/OgtNMZM/
http://russvet.net/wp-admin/KrcbLxRv/


Creation Time	2019:10:01 07:19:00	(Attachment Only - Doc based - Product Notice)
SHA256
f5376224a4e0a5d8cb2e5e3f6248d157a0c28896a58f4d071596c1a28b731663
8d98ff4f710a7a3a1d6d7832730acc2eebeca43f2fa2ce51d2abe8da3b28e2a0
2372ec2918d3ca81126458f9bfa9aa92a126ff3a99d248f97b35531930817681
134241f787cbdada15af5f8d930d6005b0b14af7c3abd1bfbff890a1230a6ee9

http://groupsmarts.org/wp-admin/o8emnle-a0f71k-92/
https://www.itmsas.net/wp-admin/f3rld-oi24-12/
http://ioaindia.com/wp-content/7xxu39q5p8-pnk-0506/
http://jamilsultanli.com/wp-includes/random_compat/xPgLLofT/
https://www.epageqatar.com/wp-content/lxhUqjy/

SHA256s for Epoch 3 Payload EXEs seen on 10/01/19 #### (Newest on top)

6d3dc61aa4568b9b1fb8658fe515d24792e736bb587796bab5e91b144a56a400
19e52375e54cabc8bf4aa8c37d6aa5600dcc4d70405e7b44e0a59d937290ef70
4dc7173f5dd9a8bc3a2188d861e5b63d4a88e92c30fec2e569449f3550f29453
30e36700baac32ffeba1c10e904470be88585273f51f942b0fb2346b36b1e13e

C2’s Per Epoch

Epoch 1 C2s

109.104.79.48:8080
109.169.86.13:8080
113.170.129.113:443
114.79.134.129:443
119.159.150.176:443
119.59.124.163:8080
119.92.51.40:8080
123.168.4.66:22
138.68.106.4:7080
139.5.237.27:443
149.62.173.247:8080
151.80.142.33:80
159.203.204.126:8080
170.84.133.72:7080
170.84.133.72:8443
178.249.187.151:8080
178.79.163.131:8080
181.123.0.125:80
181.188.149.134:80
181.29.101.13:8080
181.36.42.205:443
183.82.97.25:80
184.69.214.94:20
185.187.198.10:8080
185.86.148.222:8080
186.0.95.172:80
186.1.41.111:443
186.83.133.253:8080
187.188.166.192:80
187.199.158.226:7080
187.235.239.214:8080
189.136.50.227:443
189.166.68.89:443
189.187.141.15:50000
190.1.37.125:443
190.104.253.234:990
190.158.19.141:80
190.221.50.210:8080
190.230.60.129:80
190.230.60.129:8080
190.38.14.52:80
190.85.152.186:8080
200.57.102.71:8443
200.58.171.51:80
201.163.74.202:443
201.183.247.58:443
201.184.65.229:80
203.25.159.3:8080
212.71.237.140:8080
217.199.160.224:8080
217.199.175.216:8080
23.92.22.225:7080
46.163.144.228:80
46.21.105.59:8080
46.28.111.142:7080
46.29.183.211:8080
46.41.151.103:8080
5.196.35.138:7080
5.77.13.70:80
50.28.51.143:8080
51.15.8.192:8080
62.75.143.100:7080
62.75.160.178:8080
71.244.60.230:7080
71.244.60.231:7080
77.245.101.134:8080
77.55.211.77:8080
79.143.182.254:8080
80.240.141.141:7080
80.85.87.122:8080
81.169.140.14:443
86.42.166.147:80
87.106.77.40:7080
88.250.223.190:8080
89.188.124.145:443
91.205.215.57:7080
91.83.93.124:7080

Epoch 1 - Spam C2s

5.45.108.146:8080
45.55.82.2:8080
104.236.185.25:8080

Epoch 1 - Stealer C2s

66.228.32.31:443
198.50.170.27:8080
216.98.148.157:8080

Current Epoch 1 RSA Public Key

MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOzoTryw1r9RxRJPFKalO4+q7JaDZWSB
KZlEc22H6ITuE06tvJspue42TF1yk8xN+1bqW++QeV6Clm1uRswA/qoao/6p4eN0
h4zIO8PEaJ0C/9EO4cx9yfRLlVpjdEkP0QIDAQAB

Epoch 2 C2s

101.187.237.217:20
103.255.150.84:80
103.97.95.218:143
104.131.11.150:8080
104.236.246.93:8080
115.78.95.230:443
119.15.153.237:80
124.240.198.66:80
136.243.177.26:8080
138.201.140.110:8080
142.44.162.209:8080
144.139.247.220:80
149.167.86.174:990
149.202.153.252:8080
159.65.25.128:8080
169.239.182.217:8080
173.212.203.26:8080
178.254.6.27:7080
178.79.161.166:443
179.32.19.219:22
181.143.194.138:443
181.143.53.227:21
181.31.213.158:8080
182.176.106.43:995
182.176.132.213:8090
182.76.6.2:8080
185.14.187.201:8080
185.94.252.13:443
186.4.172.5:20
186.4.172.5:443
186.4.172.5:8080
186.75.241.230:80
187.144.189.58:50000
188.166.253.46:8080
189.209.217.49:80
190.106.97.230:443
190.108.228.48:990
190.145.67.134:8090
190.18.146.70:80
190.186.203.55:80
190.211.207.11:443
190.226.44.20:21
190.228.72.244:53
190.53.135.159:21
199.19.237.192:80
200.71.148.138:8080
201.251.43.69:8080
206.189.98.125:8080
211.63.71.72:8080
212.71.234.16:8080
217.145.83.44:80
217.160.182.191:8080
222.214.218.192:8080
24.51.106.145:21
27.147.163.188:8080
27.4.80.183:443
31.12.67.62:7080
31.172.240.91:8080
37.157.194.134:443
41.220.119.246:80
45.123.3.54:443
45.33.49.124:443
45.79.188.67:8080
46.105.131.87:80
47.41.213.2:22
5.196.74.210:8080
62.75.187.192:8080
63.142.253.122:8080
78.188.105.159:21
78.24.219.147:8080
80.11.163.139:21
80.11.163.139:443
83.136.245.190:8080
85.104.59.244:20
85.106.1.166:50000
85.54.169.141:8080
86.98.25.30:53
87.106.136.232:8080
87.106.139.101:8080
87.230.19.21:8080
88.156.97.210:80
88.247.163.44:80
91.205.215.66:8080
92.222.125.16:7080
92.222.216.44:8080
92.233.128.13:143
94.205.247.10:80
95.128.43.213:8080

Epoch 2 - Spam C2s

69.43.168.232:443
185.187.198.4:8080
46.228.205.245:4143

Epoch 2 - Stealer C2s

46.105.131.69:443
176.31.200.130:8080
104.131.58.132:8080

Current Epoch 2 RSA Public Key

MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhALk+KlHgOKXm9eDkWu2yN9lanjwOm6W2
PV0tgr4msNVby2pOJ6S1MZQnQwxl7y6WWzT4kveAQhLmW8JB2M2PDOxZOgVMJH2C
AtkVW1p/P9jNJWVvjK9SmrbLdIeiKNtRfQIDAQAB

Epoch 3 C2s

108.179.216.46:8080
110.36.234.146:80
113.52.135.33:7080
115.88.70.226:7080
125.99.61.162:7080
138.197.140.163:8080
139.59.242.76:8080
143.95.101.72:8080
148.240.52.172:80
152.170.220.95:80
176.58.93.123:80
178.249.187.150:7080
181.113.229.139:990
181.230.126.152:8090
181.231.62.54:80
181.53.252.85:990
181.55.171.237:8080
181.57.102.203:8080
181.97.70.132:8080
186.10.16.244:53
186.29.155.101:50000
186.93.167.147:443
190.117.206.153:443
190.13.146.47:443
190.55.86.138:8443
190.96.118.15:443
197.211.244.6:443
200.114.134.8:20
201.196.15.79:990
201.244.125.210:995
203.150.19.63:443
203.99.182.135:443
216.154.222.52:7080
216.70.88.55:8080
41.60.202.26:22
45.33.1.161:8080
46.32.229.152:8080
5.189.148.98:8080
51.38.134.203:8080
70.45.30.28:80
78.109.34.178:443
80.227.67.18:20
83.169.33.157:8080
93.78.205.196:443
94.177.253.126:80
94.183.71.206:7080

Epoch 3 - Spam C2s

162.144.47.94:7080
41.185.29.128:8080

Epoch 3 - Stealer C2s

178.32.255.133:443
198.46.150.196:7080

Current Epoch 3 RSA Public Key

MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAM426uN11n2LZDk/JiS93WIWG7fGCQmP
4h5yIJUxJwrjwtGVexCelD2WKrDw9sa/xKwmQKk3b2fUhwnHXjoSpR7pLaDo7pEc
iJB5y6hjbPyrSfL3Fxu74M2SAS0Arj3uAQIDAQAB

Credits and Notes Section


WARNING - Some links may have been taken down shortly after I reported them to URLHaus.abuse.ch 
because they rock and report everything to ISPs as it is confirmed to be malware. Additionally, 
this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
https://pastebin.com/u/jroosen
 
NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
I am providing them for your benefit in case you want to parse them to be sure.

What is Epoch 1, Epoch 2 and Epoch 3?


(09/17/19)
With the find of Epoch 3 today that split from Epoch 1, this section will be rewritten to reflect these changes in time.

Community Lists


new DOCs found ITW (follow @p5yb34m for more)
https://twitter.com/p5yb34m/status/1179091406997966848
https://twitter.com/p5yb34m/status/1179073855479877632

https://twitter.com/executemalware/status/1178851341692739584
https://twitter.com/reecdeep/status/1179025484979560448
https://twitter.com/58_158_177_102/status/1178963613882601472

(sorry if we miss anybody, make sure to send it to @cryptolaemus1 in your tweet and we will try to include it!)

Credits

Combination work of the Cryptolaemus Team - https://paste.cryptolaemus.com/about/ and/or specifically the following:

Doc DL URLs - @devnullnoop, @p5yb34m, @malware_traffic, @dms1899, @Paladin3161

C2 info/RSA Keys - @devnullnoop, @MalwareTechBlog, @lazyactivist192, @VK_Intel, @Paladin3161

Payloads - @devnullnoop, @MalwareTechBlog, @lazyactivist192, @TheHack3r4chan, @p5yb34m, @malware_traffic, @Paladin3161, @ps66uk, Anonymous :)

Spam Templates - @devnullnoop

Special thanks to @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and 
helping out with this!

Very special thanks to @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project https://github.com/decalage2/ViperMonkey , 
@digitalocean, @mploessel, @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch, 
@urlscanio, @BlackLotusLabs, @TrendMicro and @Virustotal for providing services/software no charge to this cause!

Daily Log 10/01/19



General News


'activation wizard' template
https://twitter.com/GustavoColsKL/status/1179112778617036801?s=20

Pick a language - there's a #emotet article written in it.


Drops Report


emotet/trickbot
https://twitter.com/D00RT_RM/status/1179128386465218561?s=20

emotet/ursnif
https://twitter.com/58_158_177_102/status/1178963613882601472

emotet/dreambot
https://twitter.com/dor0n1/status/1178588810621390848

Email Template Report

DOC releases:
E1 ModifyDate:	2019:10:01 06:43:00	CreateDate:	2019:10:01 06:43:00 sysmobi.com
E2 ModifyDate:	2019:10:01 06:26:00	CreateDate:	2019:10:01 06:26:00 www.evolutionstaffingllp.com
E3 ModifyDate:	2019:10:01 07:19:00	CreateDate:	2019:10:01 07:19:00 groupsmarts.org
E1 ModifyDate:	2019:10:01 14:24:00	CreateDate:	2019:10:01 14:24:00 sangsnagissue.net
E2 ModifyDate:	2019:10:01 14:34:00	CreateDate:	2019:10:01 14:34:00 www.frevolalaw.com
E3 ModifyDate:	2019:10:01 15:19:00	CreateDate:	2019:10:01 15:19:00 www.n01goalkeeper.com
E1
E2 ModifyDate:	2019:10:01 13:00:00	CreateDate:	2019:10:01 13:00:00 mbaplus.tabuzzco.com
E3


E1/E2 used Product Notice template in the morning, all other releases were Activation Wizard
All DOC used PowerShell
Waiting for more the next few days IF they come back. 

Payloads Report

process list - executable names are built from these based on client characteristics
engine,finish,magnify,resapi,query,skip,wubi,svcs,router,crypto,backup,hans,xcl,con,edition,wide,loada,themes,syc,pink,tran,khmer,chx,excel,foot,wce,allow,play,publish,fwdr,prep,mspterm,nop,define,chore,shlp,maker,proc,cap,top,tablet,sizes,without,pen,dasmrc,move,cmp,rebrand,pixel,after,sms,minimum,umx,cpls,tangent,resw,class,colors,generic,license,mferror,kds,keydef,cable


EXE releases:

E1 - 6 EXE between 09:30 and 22:45 UTC
E2 - 66 EXE between 00:00 and 07:40,then 4 EXE between 09:30 and 22:30
E3 - 4 EXE between 12:00 and 22:30UTC

C2 Report

77 combos on E1
88 combos on E2
46 combos on E3

Closing



TT

Sandbox 10/01/19


E1
https://capesandbox.com/submit/status/2054/


E2
https://capesandbox.com/submit/status/2053/


E3
https://capesandbox.com/submit/status/2067/