Daily Emotet IoCs and Notes for 10/03/19

Emotet Malware Document links/IOCs for 10/03/19 as of 10/04/19 01:00 BST

Notes and Credits at the bottom. Follow us on Twitter @cryptolaemus1 for more updates.

<none>
<none>
<none>

Payloads per Epoch by Document

Epoch 1 Payloads by Document SHA256 - All Times UTC #### (Newest on top)

Creation Time	2019:10:03 22:01:00	(Attachment Only - Doc based - Activation Wizard)
SHA256
9f3375fdd94fb0f94e8f30eb2f6ca7daf794da35e2c0eb29b3dfa8fc7aa87ab0

https://dixieblissluxuries.com/wp-admin/cjm6/
https://chichomify.com/wp-includes/jvmg43731/
http://seatwoo.com/wp-admin/n224/
http://legrandmaghrebconsulting.com/wp-content/yw20/
https://betc-photographe-alsace.com/old-3-octobre/1955t1n713/


Creation Time	2019:10:03 19:38:00	(Attachment Only - Doc based - Activation Wizard)
SHA256
59068d6e671d6f91b25c2d4d2298146d1894a8d78499f5ea0ce57b96c83907f4

http://tilsimliyuzuk.com/wp-admin/4668/
https://teesvalleyinnovation.com/wp-includes/k8/
https://donvosphotography.com/applechilli.com/d57b203/
http://santakpo.com/wp-admin/j0fqauc78/
http://pl.thevoucherstop.com/wp-admin/xdx66dy1/


Creation Time	2019:10:03 12:15:00	(Attachment Only - Doc based - Protected View)
SHA256
570a523ba17a85b6f57b2726f70dcdd6727550b8d2f35f43a8df5537bc241cf5
669eb04d02b07034836b513557113dae2f77b7939f8456c1d13701f3bb40e5c3
cd3937ef056005ac830f378db4907b41b7107cf8e3d0f2c47b12a9994a436e06
13f1cbc575b8ed04e1cd9904016a899a773f6353b352e498326bc5726bc2c409
f50b8acbc4b35b65612ae76583ad8481954a5413e77d8e88e666b7f87f589016
57aeccf0be3693f3aad2216cb13ceb70f44024caf57fa4c65895c48b4a1a7155
3e7a156d182db8285be1f68d4450a12f7258dc0a597178ed7e1395b4d32a5b4d
071d813f846b406fe29640a5f78e91a8f088a27d368ec462a61bbc6ad16f0d31
a8dedb075a0f2691296fb7581834ab4c1e961608b06d357419b4467b51b1cf98
6605abad97da4b0552eb257f644c37eed6cbc92a8bc44769099f45b6dfb2b5cf
fbf46ac3d40c8fb1febae2be35f22aad3c2154586596fe3a9d390444fafb239e
2e201972d8054eb5ae914a888bb232cd7d3e0f20ae5ded79f23c892d8a302ad7
ecfc1f57b418359eadf7f4cd9c1f06e7472ce777708d28c12c4db1edc62ff445
974888282d6d8d220a18e35db95a67e775b7f8ae1a835330b9092857a1dd47f9
16d9615a5744b69841c1bf644330c2c9f073e42e1c8488f40d655934f5bd1775
a16ab109773be2e73fcb8944b282a3f0485aef6c283460ba85b2a826587eaed8
19ace7c338fec91265e9349545a24a81b649fa5497980a834fe6d2efc34a3d22
cbbabbdf9a3921cf743055b96c3ea6cadcbdb0895b1064ba54d281f984854f7c

http://huangao6.com/wp-content/o1x564/
https://nevanadesigns.com/npjcq/p4/
http://vicarhomes.com/hzwoew9/k47/
http://prewento.com/imageupload/7uds29752/
https://otomotifme.com/mdnh/3f1e16-4y58-4538/599254/


Creation Time	2019:10:03 06:24:00	(Attachment Only - Doc based - Activation Wizard)
SHA256
6f69351027a4ef941b32f3f61228ac48beca57ae3860ff3c47bb9d76c9ecadc8
7533bae4926e535113776cbee78bb7d8dbc2fa4fc52a6ebd770f3805fe40273e
29e4ff65c89759108840ace030494234c1b871be013fcc3e5a858f7f6c0591af
b81203c4f76a52cd1ffeae5e38282dc161c95a3849e9d0776e7d0e09dc1b3dd1
d3b9a963e28ada996054267592cef03a0fb3d1e81d94831843d38b61d1778121
ffbf9bbe586a5efa71ef239ca2cfa2480e0f5b2b012f4d4aa19639975684380b
2d2e53df44469981d9b0266437002587124541c696a0873777c7f5cecbad8945
d051de13f6e982e72fcd2876162842fb536798475901333a11ef019b466fb7eb
8f555d24942ad96fbd58f37ddfdd530329eac7ec184e5fe8577eb998509e26e2
f1cae81c933fa76b512ae7e1ca95876a1a87c657a39cc4e75060c0935eab5b51
21cac6a67a7009868983cfe2f8e6d83260c3df6a91dd1e8c7bcbb3d2f1683824
193dc2ecf701f4a3dbe6f21232d552827f76ef96d39397174abaf9ee356c98f0

http://www.n01goalkeeper.com/wp-content/t69/
http://www.combinedenergytech.com/wp-content/n6/
https://www.stewardtechnicalcollege.com/wp-includes/z3311/
https://superecruiters.com/wp-content/o2p55rh89356/
http://www.newuvolume2.com/wp-content/upgrade/g1z8jf7/


Creation Time	2019:10:02 22:03:00	(Attachment Only - Docx based,JSE - Activation Wizard)
SHA256
d1b05a2c7a330bd81a7b67430b2cd4a8f69d894060dd2a12524b930d928abf4d

http://citizensforacri.com/cache2fdabbafc385c5752f54f46a083809ec/i24ob20308/
https://www.yh-metals.com/calendar/uj06uw140491/
https://bestsexologist.xyz/wp-includes/rest-api/c4xl3273/
https://87creationsmedia.com/wp-includes/t9svk97118/
https://dogustarmobilya.com/wp-admin/zqs99389/

SHA256s for Epoch 1 Payload EXEs #### (Newest on top)

4b1efdcec91a1e2385c568e61c9dae5eacb3a5d2c4f713a18271edce1f70ebdb
fc03540c6d3112c5fadd011926d576ea6e0df390d9c923f3b7519e52f63eb290
9f35e7c5a02f30bdde73e1ac97b9f45e755e722887d4f6f21737d3fc4309e197
41940ce5c3d957efda1f0fafcc86fe2adaacb4b5eda1e5cc762adb53d90f18a9
d8fdd630335e2ca9748b5b576c9a719fc289dc301bd52a92c6eae198c7c19ec8
619d6b1da80772d5bf8de941ee943c4181582e46d84480085b059863ae0fa776
f07474d7f1290784af3afd0536e91db496a535654170a6d96bb2e3fd5d77ce57

Epoch 2 Payloads by Document SHA256 - All Times UTC #### (Newest on top)

Creation Time	2019:10:03 23:55:00	(Attachment Only - Doc based - Activation Wizard)
SHA256
30e2de2aab627b596fda84fc1aedb7140c16f75a8b0de4b8eb45c9997c4a866a

http://fikirhaber.net/wp-content/y3kv20_r9bjfjy132-00/
http://allways-always.us/wp-admin/hbCSryafS/
https://hdcom.org/vmPXZgMN/
http://duskin-narakita.com/wp/wp-content/uploads/3pcm_ywcsqcnw-46525080/
http://theperfectkitandcompany.com/wp-admin/4xyr3puh_omcow6b-0126951/


Creation Time	2019:10:03 20:06:00	(Attachment Only - Doc based - Activation Wizard)
SHA256
98fdd6b7ac291d0973449342f7ca288ef5c515c2bd8c3d2ab2db303c7423cae0
ebe34bf7d9cf4834bcf42e9a33cd729cf73cf6c98efaa89ed9e486ea6a011cf9

https://www.marydating.com/wp-snapshots/TgDpgGOQJa/
https://thehansongrp.com/wp-content/8xyma8_md464kj-809271089/
https://alkemepsych.com/wp-admin/76a4_000mhwu-48/
http://mobosim.com/prla/ouprZTFTzf/
https://officekav.com/wp-admin/HHYxQcOSN/


Creation Time	2019:10:03 12:28:00	(Attachment Only - Doc based - Activation Wizard)
SHA256
2b1d86c9c4196536d630631a0a0c7abc99b74482b8b1260b48d3ed21c57313d6
7b20e376a7a0f2a41411f91aa19a295aebd0acb2edfb0c5b7b7fc027baf01637
68d2cef91a68892ff659a172c561b3638d5456dede979e5cfbeb91b7a8a8f8e7
314a112563a7a9cb9bfd1fe0ff7e54b19b2ab00827c68e237a251c47e77d28c4
e087635666aa18e2d6bb8bf7db2e1a5e21f7e41afbe80bf0e436d632763a0721
2a9b6c82e814645cbaf5e3b77245ee17b11c629f82cbe92414fc40df1cc01e7a
f604323e4a4808c08ce72839b8e0c8898431c4514d24a8432331b06821ff2679
a07e26958ae93952f4b4d8ed2d4309fe5fc6564773dfb13b5d49b639a3ca1aa0
624b6b4f70e271f1dfdef7c9dc26a7d18f17feb7c5e5057866c42c0305ef55c6
207bfdb50cbada73d08d6f6849a670795f88892f50a81d83712f5c606ac074fd

http://www.pieceofpassion.net/0xrnl3/a27xm99fgd_on7xp-31134189/
http://www.marketfxelite.com/wp-admin/unnJtCHk/
https://tananfood.com/wp-includes/yoclwyWE/
http://raisabook.com/wp-content/NjBtuxBzkD/
http://biswalfoodcircle.com/vcobhlons/kaf6j_71wzkgvqso-8/


Creation Time	2019:10:03 06:47:00	(Attachment Only - Doc based - Activation Wizard)
SHA256
266892c86920b3ef1ead7b0ad928d3ddf96a4c8d9d58a61be7c4731d504cd0da
e5eb116516ab9130f7675e05779057a2692da7b4ca3906b5fdb0308ea7f44afa
a756b9e5956d7c17bb56b0dffbfc17ecdb930f09c78cb6d46d475d28429edd5d
0a394a16907cb1531c4f4dc5e89373fcb365a128481573d425a34b14a3432577
a239d42c9bfb6380859ae1fc84be82c5f556c37e40f6765d54bb1a77437464bb
181be691f1dcdcc4e27ee910d96c47ddb60d8fb8ffd387df0771114c765418b1
57af40dcc60b8b3a7d2deccb6063afaddb16bf9baf9d432fdc1cf58495b175eb
5e59b49a6227ce9d5629238760d2197127c0102f41ace8d83b21d9613eea462b
7062200afeca790cd3887961a217658f35a1858b2bda187af7aaea8a8207893a
db86d7ca41a31ccb11e481d36b001b6e9c1abe955aa30a21099c30cfa3e1c179
ab2231ff0923966b9b675df84311cc36ea0d9b6ede8615afd7c4671530d92a8d
4abe6cd9cc94d2dd0134d841bf6ec552ec552bb164129103b7d72e797edb7059
68ab2bf3f8a6a21301bed4e613792ea5d371eb97c1693b95b431fdfe2a83e9db

https://gamestrefa.com/nuoaw/luDPoOwF/
http://dopenews.pl/wp-content/iIGWYuWcCZ/
http://sieuthitrevakhoe.com/wp-content/3s354eomqv_ocec0v-6228728/
http://www.aecraft.ca/yluv/ibx8sls7m_fzcrgy-13/
https://emergences.besancon.fr/wp-includes/oh4qowoxd_v4j2t-7157558/

SHA256s for Epoch 2 Payload EXEs #### (Newest on top)

c2de67b34a3af0625341e5bce27909e0e2d5d28763ecedc7571755d00cf50947
272ac7d9c7bdd245a69c7ef795ec71193907342bbec376d99aac58d998bf7446
c233c02b8ba325fa0f1a68488b2a08d0fc3699cef83f2153a782c841ce881f1d
f9f1dd4eb03b3c867ff5eb2e28712ed5921d4c452db0c551afb5295d3f7ccb01
b7ca386a1e03fadf8ff0bab1124996333e09b1947c1076c3955785cf719def0b
62c44e24519a249ef3903e8a119845985886532ef8066a3af963ca113944ecef
e33a3c8ac6fff39926f7882972c3b70d9aabcb23ccfd9c13f638d475c88f41fd
1064c5d678d7aa358ce5872c74f156fe4bdde53679278a269467a951529c4480

Epoch 3 Payloads by Document SHA256 - All Times UTC #### (Newest on top)

Creation Time	2019:10:03 12:38:00	(Attachment Only - Doc based - Activation Wizard)
SHA256
63892c528356bc422a55222f47276c9a7195f851d1fff3317e2b5c34a9bf3118
ade78333beef00c621cbebc413ea5546aeb0d0a699c7138549ede0accea09992
92f4402e309125755d93d883e892cd2c2024afe533996a8452c99ef0312ea308
cce2394314f254420a8df96cf11e50a0001aa2a7c82f7203ed3096cdd15c31bf

http://pratham.org/wp-content/LnqwUGqmF/
https://ahmmedgroup.com/cgi-bin/pnqyIc/
https://levarilaw.com/wp-content/rVRTTz/
https://www.eurosima.com/6rpbk/sEhWBEfsv/
https://www.notihote.com/wp-content/fLtwHqtO/


Creation Time	2019:10:03 06:12:00	(Attachment Only - Doc based - Product Notice)
SHA256
bb2529c9923cc702c9ba8550e3fa9eb2794ed51f68ee59070750bb350ceab874
5f19a7a4fad5c1c9a5b72a884090ddd6138fa10c3122101738d9cd8452dd56fe
d2aa1a1667507a26139b9350e3f010717f16ec204be0347f9d9b6ffd03eaf343
540ef14d06cd6b683bb4300f5db8bdb0512addaac3a28389c9cb7b8769011c78
1571c7d3c470bd9f45532b2a0a9ee21dd345bc486c182f4b67a85202af93d8c6
434bdc2db9090af3f32a15f897e40858fe4e34e3d87bc309d2c8909398491b1f

http://www.sofitec.fr/wp-content/uploads/o6wusx-uo201vwd5-09901/
http://parck.net/old/rn5o70dhz-evons7oico-7475/
http://hatterandsonsinc.com/wp-includes/GqxCjvhs/
http://www.koodakeayande.com/wp-admin/j0ntww8qe-y1kxqzz3-03/
http://politecompany.org/wp-content/upgrade/sTjLvDY/


Creation Time	2019:10:02 22:03:00	(Attachment Only - Docx based, JSE - Activation Wizard)
SHA256
ca325afd54c606205cfd7c33f046c1c5dfdc290cea77d950e2afcd5149916a74
3f8f6ab1667fe244dc9aa4eeb1f0e6d5f7d7d9bd1cff12146d5a187d659636ee
1334f8d9efc146a3a6cb8e9de5331dc988399ab3c30dc3cdf94b1dbbfb4a27fa
9902ef85399f51635f57cd9e2bb210fab72cb86a241cd15755ecc73d6f192ac2
07cbfbcc211df1ebfec5c35a08a076a78bb4e42d7928ee3449d7e639daea2357

https://www.lenoxsalons.com/cgi-bin/vVHqRUObG/
https://www.skylandtowncenter.com/wp-includes/JTmLLzo/
http://leadsift.com/wp-includes/0qqmm4-uk847qkjw-2272/
http://01synergy.com/eventApp/mh79kti8-zefcx8vbrw-2881640262/
https://latinannualmeeting.com/dhm/665siogumh-ivchy86o-7624673657/

SHA256s for Epoch 3 Payload EXEs #### (Newest on top)

d1f3fb007a33b47f92c483818c337d76ea65156fc6f9cb870032227dfe1599e1
d6e3bb2182866fa0f6448f1a331bcf3afe1145c82645f91447c8d855d883eeb9
3e5673ca1c55f09dc0c68462c2262ff8d777bcbdc6124af5fa9fbc08118282d7
6cb991636fd1a3480bc98aac660ae42c2fa6f7a9d7eacd73999e0b83c3626f19
c15f39cd2deedff718e81ed1868ad5898e2597b1665d6741ee302710e18583f0
ac5d589c2815b0560809d038fee429aba3d3b9577f88008b7f11b098c991d8ef

C2’s Per Epoch

Epoch 1 C2s

109.104.79.48:8080
109.169.86.13:8080
113.170.129.113:443
114.79.134.129:443
119.159.150.176:443
119.59.124.163:8080
119.92.51.40:8080
123.168.4.66:22
138.68.106.4:7080
139.5.237.27:443
142.93.82.57:8080
149.62.173.247:8080
151.80.142.33:80
159.203.204.126:8080
170.84.133.72:7080
170.84.133.72:8443
178.249.187.151:8080
178.79.163.131:8080
181.188.149.134:80
181.29.101.13:8080
181.36.42.205:443
183.82.97.25:80
184.69.214.94:20
185.187.198.10:8080
185.86.148.222:8080
186.0.95.172:80
186.1.41.111:443
186.83.133.253:8080
187.150.150.127:7080
187.188.166.192:80
189.166.68.89:443
190.1.37.125:443
190.10.194.42:8080
190.104.253.234:990
190.158.19.141:80
190.221.50.210:8080
190.230.60.129:80
190.230.60.129:8080
190.38.14.52:80
190.85.152.186:8080
200.51.94.251:143
200.57.102.71:8443
200.58.171.51:80
201.163.74.202:443
201.183.247.58:443
201.184.65.229:80
201.199.93.30:443
203.25.159.3:8080
212.71.237.140:8080
217.199.160.224:8080
217.199.175.216:8080
23.92.22.225:7080
46.163.144.228:80
46.21.105.59:8080
46.28.111.142:7080
46.29.183.211:8080
46.41.151.103:8080
5.196.35.138:7080
5.77.13.70:80
50.28.51.143:8080
51.15.8.192:8080
62.75.143.100:7080
62.75.160.178:8080
71.244.60.230:7080
71.244.60.231:7080
74.208.74.92:8080
76.69.29.42:80
77.245.101.134:8080
77.55.211.77:8080
78.189.76.2:50000
79.129.0.173:7080
79.129.0.173:8080
79.143.182.254:8080
80.240.141.141:7080
80.85.87.122:8080
81.169.140.14:443
81.213.215.216:50000
86.42.166.147:80
87.106.77.40:7080
88.250.223.190:8080
89.188.124.145:443
89.32.150.160:8080
91.205.215.57:7080
91.83.93.124:7080

Epoch 1 - Spam C2s

5.45.108.146:8080
45.55.82.2:8080
104.236.185.25:8080

Epoch 1 - Stealer C2s

66.228.32.31:443
198.50.170.27:8080
216.98.148.157:8080

Current Epoch 1 RSA Public Key

MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOzoTryw1r9RxRJPFKalO4+q7JaDZWSB
KZlEc22H6ITuE06tvJspue42TF1yk8xN+1bqW++QeV6Clm1uRswA/qoao/6p4eN0
h4zIO8PEaJ0C/9EO4cx9yfRLlVpjdEkP0QIDAQAB

Epoch 2 C2s

101.187.237.217:20
103.255.150.84:80
103.97.95.218:143
104.131.11.150:8080
104.236.246.93:8080
115.78.95.230:443
124.240.198.66:80
136.243.177.26:8080
138.201.140.110:8080
142.44.162.209:8080
144.139.247.220:80
149.167.86.174:990
149.202.153.252:8080
152.89.236.214:8080
159.65.25.128:8080
169.239.182.217:8080
173.212.203.26:8080
178.254.6.27:7080
178.79.161.166:443
179.32.19.219:22
181.143.194.138:443
181.143.53.227:21
181.31.213.158:8080
182.176.106.43:995
182.176.132.213:8090
182.76.6.2:8080
185.14.187.201:8080
185.94.252.13:443
186.4.172.5:20
186.4.172.5:443
186.4.172.5:8080
186.75.241.230:80
188.166.253.46:8080
189.209.217.49:80
190.106.97.230:443
190.108.228.48:990
190.145.67.134:8090
190.18.146.70:80
190.186.203.55:80
190.211.207.11:443
190.226.44.20:21
190.228.72.244:53
190.53.135.159:21
192.254.173.31:8080
199.19.237.192:80
200.71.148.138:8080
201.251.43.69:8080
206.189.98.125:8080
211.63.71.72:8080
212.71.234.16:8080
217.145.83.44:80
217.160.182.191:8080
222.214.218.192:8080
24.51.106.145:21
27.147.163.188:8080
27.4.80.183:443
31.12.67.62:7080
31.172.240.91:8080
37.157.194.134:443
41.220.119.246:80
45.123.3.54:443
45.33.49.124:443
45.79.188.67:8080
46.105.131.87:80
47.41.213.2:22
5.196.74.210:8080
62.75.187.192:8080
63.142.253.122:8080
67.225.229.55:8080
78.24.219.147:8080
80.11.163.139:21
80.11.163.139:443
80.79.23.144:443
83.136.245.190:8080
85.104.59.244:20
85.106.1.166:50000
85.54.169.141:8080
86.98.25.30:53
87.106.136.232:8080
87.106.139.101:8080
87.230.19.21:8080
88.156.97.210:80
91.121.116.137:443
91.205.215.66:8080
92.222.125.16:7080
92.222.216.44:8080
92.233.128.13:143
94.192.225.46:80
94.205.247.10:80
95.128.43.213:8080

Epoch 2 - Spam C2s

69.43.168.232:443
185.187.198.4:8080
46.228.205.245:4143

Epoch 2 - Stealer C2s

46.105.131.69:443
176.31.200.130:8080
104.131.58.132:8080

Current Epoch 2 RSA Public Key

MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhALk+KlHgOKXm9eDkWu2yN9lanjwOm6W2
PV0tgr4msNVby2pOJ6S1MZQnQwxl7y6WWzT4kveAQhLmW8JB2M2PDOxZOgVMJH2C
AtkVW1p/P9jNJWVvjK9SmrbLdIeiKNtRfQIDAQAB

Epoch 3 C2s

108.166.188.146:7080
108.179.216.46:8080
110.36.234.146:80
113.52.135.33:7080
116.203.117.76:80
125.99.61.162:7080
138.197.140.163:8080
139.59.242.76:8080
143.95.101.72:8080
176.58.93.123:80
178.249.187.150:7080
181.113.229.139:990
181.230.126.152:8090
181.231.62.54:80
181.53.252.85:990
181.55.171.237:8080
181.57.102.203:8080
181.97.70.132:8080
186.10.16.244:53
186.139.205.130:21
190.13.146.47:443
190.55.86.138:8443
200.114.134.8:20
201.196.15.79:990
201.244.125.210:995
203.99.182.135:443
212.112.113.235:80
216.154.222.52:7080
216.70.88.55:8080
41.60.202.26:22
45.33.1.161:8080
46.32.229.152:8080
5.189.148.98:8080
51.38.134.203:8080
70.45.30.28:80
78.109.34.178:443
80.227.67.18:20
83.169.33.157:8080
93.78.205.196:443
94.177.253.126:80
95.216.207.86:7080

Epoch 3 - Spam C2s

162.144.47.94:7080
41.185.29.128:8080

Epoch 3 - Stealer C2s

178.32.255.133:443
198.46.150.196:7080

Current Epoch 3 RSA Public Key

MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAM426uN11n2LZDk/JiS93WIWG7fGCQmP
4h5yIJUxJwrjwtGVexCelD2WKrDw9sa/xKwmQKk3b2fUhwnHXjoSpR7pLaDo7pEc
iJB5y6hjbPyrSfL3Fxu74M2SAS0Arj3uAQIDAQAB

Credits and Notes Section


WARNING - Some links may have been taken down shortly after I reported them to URLHaus.abuse.ch 
because they rock and report everything to ISPs as it is confirmed to be malware. Additionally, 
this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
https://pastebin.com/u/jroosen
 
NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
I am providing them for your benefit in case you want to parse them to be sure.

What is Epoch 1, Epoch 2 and Epoch 3?


(09/17/19)
With the find of Epoch 3 today that split from Epoch 1, this section will be rewritten to reflect these changes in time.

Community Lists


new DOCs found ITW (follow @p5yb34m for more)
https://twitter.com/p5yb34m/status/1179882914172952576
https://twitter.com/p5yb34m/status/1179862254046437376
https://twitter.com/p5yb34m/status/1179849188638523392


https://twitter.com/executemalware/status/1179920097756008449
https://twitter.com/Paladin3161/status/1179908630969118720


(sorry if we miss anybody, make sure to send it to @cryptolaemus1 in your tweet and we will try to include it!)

Credits

Combination work of the Cryptolaemus Team - https://paste.cryptolaemus.com/about/ and/or specifically the following:

Doc DL URLs - @devnullnoop, @p5yb34m, @malware_traffic, @dms1899, @Paladin3161

C2 info/RSA Keys - @devnullnoop, @MalwareTechBlog, @lazyactivist192, @VK_Intel, @Paladin3161

Payloads - @devnullnoop, @MalwareTechBlog, @lazyactivist192, @TheHack3r4chan, @p5yb34m, @malware_traffic, @Paladin3161, @ps66uk, Anonymous :)

Spam Templates - @devnullnoop

Special thanks to @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and 
helping out with this!

Very special thanks to @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project https://github.com/decalage2/ViperMonkey , 
@digitalocean, @mploessel, @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch, 
@urlscanio, @BlackLotusLabs, @TrendMicro and @Virustotal for providing services/software no charge to this cause!

Daily Log 10/03/19



General News

dridex using powershell script very similar to emotet, host shared with emotet (thread)
https://twitter.com/p5yb34m/status/1179438460454629376

Drops Report

emotet/ursnif/dreambot
https://twitter.com/dor0n1/status/1179739704608075776
https://twitter.com/D00RT_RM/status/1179719635442294784

Email Template Report

DOC releases:
E1 ModifyDate:	2019:10:02 22:03:00	CreateDate:	2019:08:15 08:10:00Z citizensforacri.com
E2
E3 ModifyDate:	2019:10:02 22:03:00	CreateDate:	2019:08:15 08:10:00Z www.lenoxsalons.com
E1 ModifyDate:	2019:10:03 06:24:00	CreateDate:	2019:10:03 06:24:00 www.n01goalkeeper.com
E2 ModifyDate:	2019:10:03 06:47:00	CreateDate:	2019:10:03 06:47:00 gamestrefa.com
E3 ModifyDate:	2019:10:03 06:12:00	CreateDate:	2019:10:03 06:12:00 www.sofitec.fr
E1 ModifyDate:	2019:10:03 12:15:00	CreateDate:	2019:10:03 12:15:00 huangao6.com
E2 ModifyDate:	2019:10:03 12:28:00	CreateDate:	2019:10:03 12:28:00 www.pieceofpassion.net
E3 ModifyDate:	2019:10:03 12:38:00	CreateDate:	2019:10:03 12:38:00 pratham.org
E1 ModifyDate:	2019:10:03 19:38:00	CreateDate:	2019:10:03 19:38:00 tilsimliyuzuk.com
E2 ModifyDate:	2019:10:03 20:06:00	CreateDate:	2019:10:03 20:06:00 www.marydating.com
E3
E1 ModifyDate:	2019:10:03 22:01:00	CreateDate:	2019:10:03 22:01:00 dixieblissluxuries.com
E2 ModifyDate:	2019:10:03 23:55:00	CreateDate:	2019:10:03 23:55:00 fikirhaber.net
E3


Waiting for more the next few days IF they come back. 

Payloads Report

process list - executable names are built from these based on client characteristics
engine,finish,magnify,resapi,query,skip,wubi,svcs,router,crypto,backup,hans,xcl,con,edition,wide,loada,themes,syc,pink,tran,khmer,chx,excel,foot,wce,allow,play,publish,fwdr,prep,mspterm,nop,define,chore,shlp,maker,proc,cap,top,tablet,sizes,without,pen,dasmrc,move,cmp,rebrand,pixel,after,sms,minimum,umx,cpls,tangent,resw,class,colors,generic,license,mferror,kds,keydef,cable


EXE releases:
E1 - 
E2 - 
E3 - 

C2 Report

84 combos on E1
90 combos on E2
41 combos on E3

Closing



TT

Sandbox 10/03/19


E1
https://capesandbox.com/submit/status/2106/


E2
https://capesandbox.com/submit/status/2123/


E3
https://capesandbox.com/submit/status/2126/