Emotet Malware Document links/IOCs for 10/04/19 as of 10/06/19 23:00 BST
Notes and Credits at the bottom. Follow us on Twitter @cryptolaemus1 for more updates.
Document Downloader Links
Epoch 1 Document/Downloader links
<none>
Epoch 2 Document/Downloader links
<none>
Epoch 3 Document/Downloader links
<none>
Payloads per Epoch by Document
Epoch 1 Payloads by Document SHA256 - All Times UTC #### (Newest on top)
Creation Time 2019:10:04 17:03:00 (Attachment Only - Doc based - Protected View)
SHA256
67e4943ef8826325d01d6e076ab404f82769ebac651265087619b844803c7234
c4898b54830c2fc8f6d19b1030f545826de52927dc0636e525a95ecf74c0ecf8
b7d0a0a3e852bc0f35c3808ee61bb38e953a95bc599f1e8e9d99e6f54b078561
08d5cea1dae8c4c59758c50afd5bb3a15bf855bec29c3c9ba0c3818551306bb9
6a34d6c923698fb5d00d62cfc6278a5a8d5184b62c4d43bbb095f1d120982d92
af68116ac21608ff32870398f064cd99a988c2b0d781a2d039379cec53e64fb2
fab0e7159b69708a490d065f3950214723661aa50f5edfc49a037bc48871c6cd
9d8084d91814f254b0d78e62f68c25f57c04e0ff058415aaeba3cbad25ec120a
1c2bfc53b6e9ff01ba6ba8a588d848b4a2c38e3e0da769afc36c33481ab7de25
134241f787cbdada15af5f8d930d6005b0b14af7c3abd1bfbff890a1230a6ee9
f5376224a4e0a5d8cb2e5e3f6248d157a0c28896a58f4d071596c1a28b731663
8d98ff4f710a7a3a1d6d7832730acc2eebeca43f2fa2ce51d2abe8da3b28e2a0
0b8e42554b2c1a7cce83caa0d0f45fe0e84deb0e4b97f680daaadc195fe7bde6
814b59100b2a0aa7aab17642734adb9b3812904e84321351a345e7055729cf7c
https://www.itmsas.net/wp-admin/4r2s9/
https://casasaigon.com/wp-admin/sf64228/
http://drnishayoga.com/ao48270/76pzd398/
http://milanoplaces.com/wp-content/qvre8d8/
https://zakiehtejarat.com/xhexl2w/l16233/
Creation Time 2019:10:04 14:43:00 (Attachment Only - Doc based - Activation Wizard)
SHA256
e568f40d9f9c1101fb99ff993735a4b8b98a2fe3ba649d8b68bdf5c24db3da87
6dc751cbfbf931106ed6dad3141b64b00c3ad90246afb7c00084105c352985a6
e4cfa7458a5cd03d3eb5b2e09ff8f613403e65a92c15c521c05cfe1ec0e79944
5cf08938ab5bd08736eac1f03c77941ebf739c9851972e3586816865e8a1895e
6511906d1a96431ba0b2ebe0841af8dba5c46ef4fa79baaf30b3a8d107c43c37
caf235d524126c0257175f233daca8ed8e0e4efa472ec6b13ae46c0759a3f5a8
https://imtglobals.com/wp-admin/n3ch46/
http://rinnaikompetisiblog.com/wp-includes/yf56g7e05650/
https://oliverfps.com/wp-content/wlqkod37384/
https://kurumsalinternetsitesi.com/on0sqrx3pg/nkha91367/
https://www.njb-gmbh.com/vefsmap/j3o45727/
Creation Time 2019:10:04 05:34:00 (Attachment Only - Doc based - 365 Blue Background)
SHA256
0bd1b5991e6699c63a39b751ecf55c77447332a27ccf5a79ffc2d8f9301708a4
5ca04acc3eb0b0c5bd854743d6fde14bf8e93c6af8cb0b96b8bcb2310326c00d
91cbdebd026bbc7b528ae4156e3ea885771b5b056c0ae4d1418dd02dd4797a18
e7bbafd9bfa11bf97221ad8e5a652ec41f0fdbfd17fb1d32237f1310b19b8b9f
fc4fb319ede2f98d76a3046aa3b9aaefc87170312b51bf75eab8c771f36f0c02
5f2803f4627677dbd4f275875b1afd5b014f07c3d9445d71610ae965d9d107ad
9ea3a0eecb6b7173a228ce214fbc7365ed7429b22ae1a658503dba5a74adaae5
30f7af76ec37a29aedad820012a9dc84ef0f7264009353be46c7a35013704b9d
db2e313b9f411f5bd18bb86f8ecab1b3c24b3aee02b45cb6617c3796f320da48
130f5f96e9717a45b940e890ff55ad1524428732057191c88d686a5f79a43cc4
5e22ad728e4535d795c972bb5f0f20fe8981c6a41820892a32ee313403725f6e
6cc94f417895f86bbde31375d37d86a02361f8b289f33660425f2e0473796ee7
17c37de5cff0f084f14b114a08dc76b72fa767b6a665a20103d95b5d7c119c02
41e214c48acf105810a5c986071cabec0dd2d1e08cf0fab513adf21d62e6f187
b4549489d781586c674fa4bb4db3d1809c50b474aba6aa93a8e395380199bdd5
949b768ee4b853abe7637115bbeebde24e997f641685008780738ba3678fbbb6
8f683738df5a526672fdf14c1c761d2bce93a245dab002573ff47c13ce9c6fb8
http://www.cours-theatre-anglais.com/wp-content/9aed37/
https://www.novawebdesigns.com/germanmilitariatwo/wp-content/uoata252/
http://grupocemx.com/wp-admin/693216/
https://dymardistribuidora.com/npnf0j/89ifa667041/
https://www.megaestereocalca.net/cgi-bin/b7c05794/
SHA256s for Epoch 1 Payload EXEs #### (Newest on top)
7d6057f8d2dbdfd00fc109da6e428c11979edb5e958023d4c201b0d3931124ae
2ffdbc7aa4c248aa2435bcb73c7ee5d684ec393b48d513a639d332306a2c292d
cf9a0d40cf6668b337da97b5eafc5273942f91cef1391f9209ed236a386e666d
c2bc3b2cf371cecf6cf20009196013ae8a1b4938135ad726fb855891436fde03
949405e09624b3b20e454b8531c536b03335a1f7112a2f90488dacb37be91d82
50f70f738865bdbaa7e3ea7707a4fb142fe853f28ee215b0e83e6d265090e2c7
612df2f4d7faa4e3de31ce213db88c7a204b304502805081d798d1d906b2d7dc
Epoch 2 Payloads by Document SHA256 - All Times UTC #### (Newest on top)
Creation Time 2019:10:04 21:16:00 (Attachment Only - Doc based - Activation Wizard)
SHA256
e96c5576e0d8fe04c3a4c6cd232a0f216a71bcbb54eff2b9b03af92094bab0a9
http://www.dusan-guba.sk/tropcj8kfd/i03ulxqw_iqqwxi-99777921/
http://premiermontessori.ca/wp-content/ZHNVCGIC/
http://www.entersupport.it/uimu/4e17xw_21qapjzo-7937/
http://tutoriaenvivo.estudioovalle.com.ar/wp-content/gosPgvApQ/
https://thangmaychauau.com.vn/aj1xahh/dpTONdwm/
Creation Time 2019:10:04 16:51:00 (Attachment Only - Doc based - Activation Wizard)
SHA256
248075f36d80c267a7afc44b214731e21bceb23ad5ae62ed9dea45cae85aae65
0774ce75e698736ebf22256ebaf75889df40b178a38f54a75757118726ca4f96
0d2fa04b1ffc9b01331c72a0c2bde7e5cbdb903169cb59a89eb9a5d00d366337
5f6917b85ec99a4d5a51fe96b7841b4e417035c51632259a419ef039d5be2429
82ea45091f162127bf4b45a4b5023addb98fee5f750a7135c06c051c36f46387
97dbf6429c8a30409272c98cb8906656454885de9bc7396b54a0dfd86de0429f
http://www.eteensblog.com/2tgmnk/fJZIPCYV/
http://www.palisek.cz/wp-includes/YtgJbWQNtJ/
http://www.mnminfrasolutions.com/wp-admin/zeteXeJYC/
http://abbasargon.com/wp-admin/sqhztj4_dzq3e-019802155/
https://weiqing7.com/ex6/3r2js_ocgr3bew87-538460/
Creation Time 2019:10:04 14:32:00 (Attachment Only - Doc based - Activation Wizard)
SHA256
81868125b5de4407cd99ab4b738538cc8ef7a3740962bcb0db0ae8395ca907c1
4e75c32f5431028137e392805fa968df0318edc96129e71d9e0fee4c61f1281e
http://thebroomcloset.net/css/jWOMoWiGQ/
http://mongolianforex.com/wp-content/MCDVuNmHR/
https://bishopians.org/wp-admin/iazc72g_rau3eczk1-40486461/
http://theinspiredblogger.com/wp-content/u35kuipnv_m1pl7f1m-5214601770/
http://www.yesemtechnologies.com/css/xwxpjbj9z_zlrjt-71894126/
Creation Time 2019:10:04 10:32:00 (Attachment Only - Doc based - Activation Wizard)
SHA256
3ce0bfdfc562e8b065648da66aed944b6bb25d55bd083dd443018d09a952c888
b2b78b237f1c468c97f927a897d5b1b3544e9d82c501d567c9b3294ba757a772
1ce2fcf815fe142ad05056a871d761a4df88b76fa4879dd0a3c57e2f0500ad9b
ec87e57637114915d1cf17a559bc081acbececb0aa7e316c98da13ce112c2db2
https://atreveteaemprender.com/cgi-bin/udsstkx_j1wi622r5r-883/
https://dansofconsultancy.com/wp-admin/4uqqzy_5utgl5-17727/
https://serviciar.com/acxyo/mngNkwQHod/
http://deambulations-nomades.eu/wp-content/DXxbcmQR/
https://panaragency.com/wp-content/xjjxctiNT/
Creation Time 2019:10:04 06:54:00 (Attachment Only - Doc based - Activation Wizard)
SHA256
0ec1f7d6b8f34e4b10224afd6230cd6d0676a38078b9140326339c58f35cf05e
ff1307e0e8d2a8def8bbc246f3b9fb8601d205672dcccfdea5b2ec9879dfd91f
7b6e06fbd555be0dc9a2d44a7a8828eb973ba7e002ec8e28002e51d94b76f0de
1f3784790d4e6c961a625e384de2ed8d99e0473d0a80c38bfa45614c4e7841f4
fb493b55ae147665306c94c53c8ad76fab7f1b75fb44a0d000fdddb58a26b861
1ecf3f6fb7383a1685d3520deadfbeecc4a4924141c8109bd50033a4edae503e
https://bismillahgoc.com/abhj/e7gfp_6hk8r6u7h7-0706897166/
http://www.vogliagrafica.com/jc9a/9kiuzfzr_33njmng1-22034494/
https://1860poga.co.za/cgi-bin/1s7fhqbm_5boohd8z32-0487752/
https://mamagaya.fr/wp-content/PZLiWjNrdX/
http://international.upd.edu.ph/wp-admin/MegJhUiFqa/
SHA256s for Epoch 2 Payload EXEs #### (Newest on top)
1d51d8e9ae1d67cb804fb28024b04969fd5888c3befece09547e5506ee946027
31921d96ee669e4b13c221a7a6460610395a0f818e31ea01e84cfb32f96cc3b8
b9d59438b579bbd85cb803c3f4b46e872dd51272ffbb0bc4572526884650aa2b
8a380e04d3d765df27a743e30ac09d57572a50714eabb9c2d7be108a322a20ca
431828023bec2aa837c52d51dabd5ce4e33f9cdaf97d0afd3072a924bffe75df
c423b918e18b82ec4d36391f7f631f9514be8f0a087fc987faf6d0592c8ec2ae
137aa451f402dab453ca219aac8e42adae8a1e2c6225c834e6f44d5d1cd678d1
4e2f067e6fba50b24d168515dce7f31da8bd4d3e9f93fa047d404878f338a710
0e15e06ce1aa003b5a0193260145438550118c69ce89e3803dfe3cf8b31fdf26
0908b06b9bb4af3062c85f4e622275c2d7e86c96962f3b99dc13d590f672ceee
3f8898e03e8973a2dbb2d499e9505fc12246d621e9cd62d29307d0373adf5de1
faabccb1ffe41bc64521776a9ce31eb61725beb8efaad424de61bc6aa432d09c
5e5a2915960537a21e525a0b4f8081b7d69c641e17a0c5aa0d21d06f02c5eb0a
d99d0564cee732273bc8faa63dc71fc5db1fcf9e667ec62664d8959e9cb2b6ec
efdcac016ea44b4f92f6adc8296576232f99a2162468282b47f2b1238b173166
6e6a06d83952a11644eb8c17fec55dd77ef03b93ae15c0cbe258495972afc310
0ad697bed4943587c854a12b43eead63e38c0c171990205d8edb5e6abe112c7d
4911768eb0458e6002d0763ec490cc70550b04a5d7685cebe9201f4595ac5df2
4e6d51dce28d0c55dc126f5fc9df877f30498ac9a5c7cc50cdb0258043e244f9
28ef348c64d9b822a9056b6403d3c7d9e348a8e272f45dbed76f4b799041410e
49784a37de8cf2398dd0e90f2a6cb85aecd9d725d44fcee92d254a02ea2859e1
dd8b16641395cd00ac9e03b93b02f61f51a79d7df70b736d567a9c11175e4c55
a97b65a9cdc908724965694da29f5e06531a8de283b7a047215b9d0f28ba1ced
454522f207d5d83a4fb9f1ae40968cf1715ccdf3f59646da4ce4eb05d5f16262
2d3339830687dfa3a6a80d125acd4a81190e1775f5a54b2dd36125844e3e19f0
9a0a40dad123b16c404eb3b786e72ac8f3a4ebaf9e8a14682977c69fff4f379e
3f1f8fd989386c1beddf6223113b18d788f4862325bfae0828080e29e067599b
a6e58fcdd3b8743865c45d8035bcca1f3ebfde77d9ff9139b5a379289a088cd7
1b807f9aedecc2a80652a18f7b3ecaf883a95a69a26baf07e4316859606f8516
bf982e3fbc288b155f7c2aef678a674bbeeb24da73598aaa5245944f3381ad01
c1b7e925c6a35593a053728870bac04c21199b06baf0f9a33879003e88778c13
b7f859e49de68440a4dee0b87d204f49701749fdbcf42afb4542c90c7fa22803
75977d3263020c87f5b9b68394c43915fb564624d2597cdcd711c91a93750d48
33a6d7f3da505bb94079a0f8837e4de0083cf5cd782f665faf0589c290cac930
e1612243b809d8854768d8e34a45bcc7567351e554bc653951608dbbeecfbfcd
4628145bcca436d3ecde9005d7f2d5faf843b6fbb1b8a3a440c052bdb7537190
94ea3198c0ee5fd6d98da67276e846beda3709f150aaeac1e4ab8d39e3001f76
520657d4c787ef47085ee60a196a654d65439e574b39c45df794fc2b7bfff48d
8b975dce544d439187382cb2f859b1dce832d3f7779538377caf622ad9299e3d
b7c9a73a49165e2977ac4be3bf4f9762bbb426ed548a61bbcf333abbf610777a
4f62184074f2f62c718f5905743e511839dd41ba62aa40650838f1b8b9f94c0a
f0ac854808ef5855438fc02b394222d79acf637b5413a7b13c0af185c8d6805a
Epoch 3 Payloads by Document SHA256 - All Times UTC #### (Newest on top)
Creation Time 2019:10:04 17:00:00 (Attachment Only - Doc based - Activation Wizard)
SHA256
fe64e512cd8ca3a58ccec5ef1aabb46f857903a3dab54905efca1c7e34c0e97a
https://www.fuathanalbar.com.tr/vflve/7n7m1-7n8y01xtk-811651293/
http://neu.nostalgie-schigruppe-feuerkogel.org/wp-admin/rr4py25mv-44qpc7l-60933/
https://bluesuntourism.com/wp-content/u96hp-kwxhe1j7-03948429/
https://pronomina.store/wp-admin/mi6jvzkuvi-w5uf-5184/
https://grahabailindonesia.com/gkps/61816qu6-i90e1-53230655/
Creation Time 2019:10:04 15:19:00 (Attachment Only - Doc based - Activation Wizard)
SHA256
b9cbe2c0ea2b92c926b216f99aa3aeada4bf6c4bc44d7fb51129c98e5fe6634a
cae3b9939a272df7dac8e075753aed40b484224105de32f68cc7eabdfcfc3611
http://www.frituraslavictoria.com/wp/LonKtuCF/
http://eltigrevestido.com/cgi-bin/stOISE/
http://kawishproduction.com/backup01/d3pjfncm-im0sgrd-230302683/
http://umbastudiocom.ipage.com/wp-content/kMCtdfR/
https://www.nayapixel.com/wp-admin/1oup-wn57zue5q7-263518528/
Creation Time 2019:10:04 10:27:00 (Attachment Only - Doc based - Activation Wizard)
SHA256
df6d02f808382aa467a6fe075d6523723889fa35d9d4672ec709f71052af0cc3
300365f489af36b8b8ccca399c04fc0c6de86ab6666b33113ffdf03198aa2879
https://www.rexprosealers.com/wp-content/HIHWYh/
http://www.computerservicecenter.it/wp-content/awk-or559s6srp-9295301/
http://ehssanhosseinirad.com/test/if3-msvshrv-331115190/
http://www.orchardim.com/l7jbnx3/8c4wlk9s-ba0cr0sy-94564/
http://thisissouthafrica.com/wp-content/bt27-hm6l-06143/
Creation Time 2019:10:04 06:28:00 (Attachment Only - Doc based - 365 Blue Background)
SHA256
eaa8d2ab6f876019da64a23451cf6af9f1ed8dc3eaa6e02cac91dce5f9745372
89cf0718d849d024b503638d313b3023679869e19cabc163b8aa41ae8ae467e8
b2197b1e225e13100fa6a4f90cebe2479610f8fe81c92ed5acc6abafadc1217e
0490bcfee76e1b4f3527be8fe9fdbe3a8ba24ee7c4be3cf84125b25bbadff710
6ef3de52c478fbbe7c7ca6655df51b031a180507fa1706715c13d972190d0c7f
http://luatsukiengiang.com/demo/f9ooyn-5gaxez9-4015762/
https://bedianmotor.com/wp-admin/pzsvqdrI/
https://stanislasdelorme.com/wp-content/DtNdrUD/
https://blog.elplatorico.es/wp-content/jrl-3tuhgz8td3-45846/
https://berryevent.es/wp-content/lUbFNInx/
Creation Time 2019:10:04 00:11:00 (Attachment Only - Doc based - Activation Wizard)
SHA256
61a3fbb9089f168f4956ab3cc359c6ba80227feb7cbe7c3b1e8606e8368519ec
f81c1f9acd8ce59732cd9aa40c877cc8d18434266738fb8fa025e6aa5fd24330
89950d2f000b2308b316435f54e2e0bb1c3fbcf2205bc8a1e50282817a89c34b
https://www.difiza.com.mx/wp-admin/zvuvdw9u-vc31io3o-32592779/
http://www.svuotastock.com/wp-includes/cicakxgqw-1nn8dpz9-59858/
http://homengy.com/wp-content/rkbdzmd1-i6dfihr7-255937900/
http://applefarm.it/j4jj1r/TUmVeA/
http://weconnectpakistan.com/wp-snapshots/UIeBLdMU/
Creation Time 2019:10:03 19:44:00 (Attachment Only - Doc based - Protected View)
SHA256
291e063e59d009aa8863c0e0879df72629466789712957be3f1fbdb0eb7d27fc
e232ef813174f6477209040f08e0d3da17d0c791f637f23a16ee603b855ddbe4
5db6769aac6b3210a7d2782fed4e9081241a2e9a5134abec4cc77bb06469be5b
df6d02f808382aa467a6fe075d6523723889fa35d9d4672ec709f71052af0cc3
cb3a1c50ec771e7d9e9e99c571d4565636610eb03eff0067529622f9e4cc298b
http://thisissouthafrica.com/wp-content/cbsw-wfh-735/
http://premiermontessori.ca/wp-content/affqoa-kfs8l-27453/
http://luatsukiengiang.com/demo/kc2yis5j0o-ogx5kvyl-174436/
https://stanislasdelorme.com/wp-content/guZDbTFU/
https://bedianmotor.com/wp-admin/zptwk7w48v-qoo1-1075/
SHA256s for Epoch 3 Payload EXEs #### (Newest on top)
35749c721f9a195e8b79c71b00420137efa3756e293312f5db254a942594786d
1c32f6366e4b2c472479378eba9549307b81cbf61edcb2ee80c601937e70e3c5
e34221ff87593fe38573d3c0d4881cdfa0a7cd98e81d752672baed18b2d378e3
9bcc2390b0634fb44c6e20240ccbc088668e9cdf96f3e295473ed335c1ab2385
597a638d54584622e033ea66b85165e589e79ce1d02b1dbc20e9b9bbcc5daa45
9936d47b871ef345ceca55fd54205ca0d420c581fecbd96c1d6cf98a25d62005
C2’s Per Epoch
Epoch 1 C2s
103.31.232.93:443
68.169.49.14:7080
46.101.212.195:8080
81.169.140.14:443
119.59.124.163:8080
50.28.51.143:8080
86.42.166.147:80
51.15.8.192:8080
200.58.171.51:80
23.92.22.225:7080
119.92.51.40:8080
138.68.106.4:7080
5.77.13.70:80
71.244.60.231:7080
186.1.41.111:443
185.86.148.222:8080
190.230.60.129:8080
200.51.94.251:143
109.104.79.48:8080
80.85.87.122:8080
81.213.215.216:50000
139.5.237.27:443
109.169.86.13:8080
77.55.211.77:8080
183.82.97.25:80
46.29.183.211:8080
190.104.253.234:990
182.188.39.68:80
142.93.82.57:8080
46.163.144.228:80
62.75.143.100:7080
62.75.160.178:8080
203.25.159.3:8080
201.183.247.58:443
189.166.68.89:443
46.28.111.142:7080
190.230.60.129:80
190.38.14.52:80
189.160.49.234:8443
89.188.124.145:443
190.1.37.125:443
91.205.215.57:7080
71.244.60.230:7080
181.29.101.13:8080
151.80.142.33:80
46.21.105.59:8080
46.41.151.103:8080
186.83.133.253:8080
184.69.214.94:20
114.79.134.129:443
178.249.187.151:8080
88.250.223.190:8080
79.143.182.254:8080
178.79.163.131:8080
201.184.65.229:80
80.240.141.141:7080
170.84.133.72:8443
217.199.160.224:8080
159.203.204.126:8080
190.221.50.210:8080
187.188.166.192:80
78.189.76.2:50000
190.85.152.186:8080
79.129.0.173:8080
190.10.194.42:8080
190.158.19.141:80
170.84.133.72:7080
149.62.173.247:8080
113.170.129.113:443
91.83.93.124:7080
201.199.93.30:443
76.69.29.42:80
212.71.237.140:8080
119.159.150.176:443
5.196.35.138:7080
201.163.74.202:443
181.188.149.134:80
217.199.175.216:8080
87.106.77.40:7080
77.245.101.134:8080
181.36.42.205:443
200.57.102.71:8443
185.187.198.10:8080
186.0.95.172:80
123.168.4.66:22
Epoch 1 - Spam C2s
5.45.108.146:8080
45.55.82.2:8080
104.236.185.25:8080
Epoch 1 - Stealer C2s
66.228.32.31:443
198.50.170.27:8080
216.98.148.157:8080
Current Epoch 1 RSA Public Key
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOzoTryw1r9RxRJPFKalO4+q7JaDZWSB
KZlEc22H6ITuE06tvJspue42TF1yk8xN+1bqW++QeV6Clm1uRswA/qoao/6p4eN0
h4zIO8PEaJ0C/9EO4cx9yfRLlVpjdEkP0QIDAQAB
Epoch 2 C2s
101.187.237.217:20
103.255.150.84:80
103.97.95.218:143
104.131.11.150:8080
104.236.246.93:8080
115.78.95.230:443
124.240.198.66:80
136.243.177.26:8080
138.201.140.110:8080
142.44.162.209:8080
144.139.247.220:80
149.167.86.174:990
149.202.153.252:8080
152.89.236.214:8080
159.65.25.128:8080
169.239.182.217:8080
172.105.11.15:8080
173.212.203.26:8080
178.254.6.27:7080
178.79.161.166:443
179.32.19.219:22
181.143.194.138:443
181.143.53.227:21
181.31.213.158:8080
182.176.106.43:995
182.176.132.213:8090
182.76.6.2:8080
185.14.187.201:8080
185.94.252.13:443
186.4.172.5:20
186.4.172.5:443
186.4.172.5:8080
186.75.241.230:80
188.166.253.46:8080
189.209.217.49:80
190.106.97.230:443
190.108.228.48:990
190.145.67.134:8090
190.18.146.70:80
190.186.203.55:80
190.211.207.11:443
190.226.44.20:21
190.228.72.244:53
190.53.135.159:21
192.254.173.31:8080
199.19.237.192:80
200.71.148.138:8080
201.251.43.69:8080
206.189.98.125:8080
211.63.71.72:8080
212.71.234.16:8080
217.145.83.44:80
217.160.182.191:8080
222.214.218.192:8080
24.51.106.145:21
27.147.163.188:8080
27.4.80.183:443
31.12.67.62:7080
31.172.240.91:8080
37.157.194.134:443
41.220.119.246:80
45.123.3.54:443
45.33.49.124:443
45.79.188.67:8080
46.105.131.87:80
47.41.213.2:22
5.196.74.210:8080
62.75.187.192:8080
63.142.253.122:8080
67.225.229.55:8080
78.24.219.147:8080
80.11.163.139:21
80.11.163.139:443
80.79.23.144:443
83.136.245.190:8080
85.104.59.244:20
85.106.1.166:50000
85.54.169.141:8080
86.98.25.30:53
87.106.136.232:8080
87.106.139.101:8080
87.230.19.21:8080
88.156.97.210:80
91.121.116.137:443
91.205.215.66:8080
92.222.216.44:8080
92.233.128.13:143
94.192.225.46:80
94.205.247.10:80
95.128.43.213:8080
Epoch 2 - Spam C2s
69.43.168.232:443
185.187.198.4:8080
46.228.205.245:4143
Epoch 2 - Stealer C2s
46.105.131.69:443
176.31.200.130:8080
104.131.58.132:8080
Current Epoch 2 RSA Public Key
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhALk+KlHgOKXm9eDkWu2yN9lanjwOm6W2
PV0tgr4msNVby2pOJ6S1MZQnQwxl7y6WWzT4kveAQhLmW8JB2M2PDOxZOgVMJH2C
AtkVW1p/P9jNJWVvjK9SmrbLdIeiKNtRfQIDAQAB
Epoch 3 C2s
108.166.188.146:7080
108.179.216.46:8080
110.36.234.146:80
113.52.135.33:7080
116.203.117.76:80
125.99.61.162:7080
138.197.140.163:8080
139.59.242.76:8080
143.95.101.72:8080
176.58.93.123:80
178.249.187.150:7080
181.113.229.139:990
181.230.126.152:8090
181.231.62.54:80
181.53.252.85:990
181.57.102.203:8080
181.97.70.132:8080
186.10.16.244:53
186.139.205.130:21
190.13.146.47:443
190.55.86.138:8443
200.114.134.8:20
201.196.15.79:990
201.244.125.210:995
203.99.182.135:443
212.112.113.235:80
216.154.222.52:7080
216.70.88.55:8080
41.60.202.26:22
45.33.1.161:8080
46.32.229.152:8080
5.189.148.98:8080
51.38.134.203:8080
70.45.30.28:80
78.109.34.178:443
78.189.94.99:8443
80.227.67.18:20
83.169.33.157:8080
93.78.205.196:443
94.177.253.126:80
95.216.207.86:7080
Epoch 3 - Spam C2s
162.144.47.94:7080
41.185.29.128:8080
Epoch 3 - Stealer C2s
178.32.255.133:443
198.46.150.196:7080
Current Epoch 3 RSA Public Key
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAM426uN11n2LZDk/JiS93WIWG7fGCQmP
4h5yIJUxJwrjwtGVexCelD2WKrDw9sa/xKwmQKk3b2fUhwnHXjoSpR7pLaDo7pEc
iJB5y6hjbPyrSfL3Fxu74M2SAS0Arj3uAQIDAQAB
Credits and Notes Section
WARNING - Some links may have been taken down shortly after I reported them to URLHaus.abuse.ch
because they rock and report everything to ISPs as it is confirmed to be malware. Additionally,
this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
https://pastebin.com/u/jroosen
NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
I am providing them for your benefit in case you want to parse them to be sure.
What is Epoch 1, Epoch 2 and Epoch 3?
(09/17/19)
With the find of Epoch 3 that split from Epoch 1, this section will be rewritten to reflect these changes in time.
Community Lists/Samples
https://twitter.com/jcarndt/status/1180204917698564098
https://twitter.com/Paladin3161/status/1180135076811530240
https://twitter.com/Lvanoel/status/1179990667541516288
https://twitter.com/luc4m/status/1180078839394897920
and big thanks to @unixronin for payload tweets
(sorry if we miss anybody, make sure to send it to @cryptolaemus1 in your tweet and we will try to include it!)
Credits
Combination work of the Cryptolaemus Team - https://paste.cryptolaemus.com/about/ and/or specifically the following:
Doc DL URLs - @devnullnoop, @p5yb34m, @malware_traffic, @dms1899, @Paladin3161
C2 info/RSA Keys - @devnullnoop, @MalwareTechBlog, @lazyactivist192, @VK_Intel, @Paladin3161
Payloads - @devnullnoop, @MalwareTechBlog, @lazyactivist192, @TheHack3r4chan, @p5yb34m, @malware_traffic, @Paladin3161, @ps66uk, Anonymous :)
Spam Templates - @devnullnoop
Special thanks to @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and
helping out with this!
Very special thanks to @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project https://github.com/decalage2/ViperMonkey ,
@digitalocean, @mploessel, @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch,
@urlscanio, @BlackLotusLabs, @TrendMicro and @Virustotal for providing services/software no charge to this cause!
Daily Log 10/04/19
General News
ursnif dropped from emotet-style DOC
https://twitter.com/nazywam/status/1180034645255233536
Drops Report
emotet/ursnif
https://twitter.com/dor0n1/status/1180107756541550593
https://twitter.com/dor0n1/status/1179942950207414272
Email Template Report
DOC releases:
E1
E2
E3 ModifyDate: 2019:10:03 19:44:00 CreateDate: 2019:10:03 19:44:00 thisissouthafrica.com
E1
E2
E3 ModifyDate: 2019:10:04 00:11:00 CreateDate: 2019:10:04 00:11:00 www.difiza.com.mx
E1 ModifyDate: 2019:10:04 05:34:00 CreateDate: 2019:10:04 05:34:00 www.cours-theatre-anglais.com
E2 ModifyDate: 2019:10:04 06:54:00 CreateDate: 2019:10:04 06:54:00 bismillahgoc.com
E3 ModifyDate: 2019:10:04 06:28:00 CreateDate: 2019:10:04 06:28:00 luatsukiengiang.com
E1
E2 ModifyDate: 2019:10:04 10:32:00 CreateDate: 2019:10:04 10:32:00 atreveteaemprender.com
E3 ModifyDate: 2019:10:04 10:27:00 CreateDate: 2019:10:04 10:27:00 www.rexprosealers.com
E1 ModifyDate: 2019:10:04 14:43:00 CreateDate: 2019:10:04 14:43:00 imtglobals.com
E2 ModifyDate: 2019:10:04 14:32:00 CreateDate: 2019:10:04 14:32:00 thebroomcloset.net
E3 ModifyDate: 2019:10:04 15:19:00 CreateDate: 2019:10:04 15:19:00 www.frituraslavictoria.com
E1 ModifyDate: 2019:10:04 17:03:00 CreateDate: 2019:10:04 17:03:00 www.itmsas.net
E2 ModifyDate: 2019:10:04 16:51:00 CreateDate: 2019:10:04 16:51:00 www.eteensblog.com
E3 ModifyDate: 2019:10:04 17:00:00 CreateDate: 2019:10:04 17:00:00 www.fuathanalbar.com.tr
E1
E2 ModifyDate: 2019:10:04 21:16:00 CreateDate: 2019:10:04 21:16:00 www.dusan-guba.sk
E3
---
a couple of older templates first thing, then Activtion Wizard for most of the day
no JSE DOCs found today
E3 2019:10:04 06:28:00 reused 3 hosts from E3 2019:10:03 19:44:00.
Link Regex Report
Waiting for more the next few days IF they come back.
Payloads Report
process list - executable names are built from these based on client characteristics
engine,finish,magnify,resapi,query,skip,wubi,svcs,router,crypto,backup,hans,xcl,con,edition,wide,loada,themes,syc,pink,tran,khmer,chx,excel,foot,wce,allow,play,publish,fwdr,prep,mspterm,nop,define,chore,shlp,maker,proc,cap,top,tablet,sizes,without,pen,dasmrc,move,cmp,rebrand,pixel,after,sms,minimum,umx,cpls,tangent,resw,class,colors,generic,license,mferror,kds,keydef,cable
EXE releases:
E1 - 7 drops between 00:15 and 20:45
E2 - 6 drops between 00:25 and 14:35, hashbusting from 17:15 to 21:25 (36 drops)
E3 - 6 drops between 08:40 and 20:45
All three epochs refreshed C2 list at ~10:00 UTC
No new weekend EXE - last drop 2019:10:04
C2 Report
84 combos on E1
90 combos on E2
41 combos on E3
Closing
TT
Sandbox 10/04/19
E1
https://capesandbox.com/submit/status/2338/
E2
https://capesandbox.com/submit/status/2185/
E3
https://capesandbox.com/submit/status/2184/