Emotet Malware Document links/IOCs for 10/07/19 as of 10/08/19 01:00 BST
Notes and Credits at the bottom. Follow us on Twitter @cryptolaemus1 for more updates.
Document Downloader Links
Epoch 1 Document/Downloader links
<none>
Epoch 2 Document/Downloader links
<none>
Epoch 3 Document/Downloader links
<none>
Payloads per Epoch by Document
Epoch 1 Payloads by Document SHA256 - All Times UTC
Creation Time 2019:10:07 16:32:00 (Attachment Only - Doc based - Protected View)
SHA256
fb59e6ecb524bdcbdae9b6bdf9b7b8472047e50b2501fe3a1673bc6c15abe4ae
bf709bc17df401a4ccad2ee86d6fcbd25edd93a51ed9d28ea6ed04330b9ac48a
5abc2b2cfc2e9dbe725e968587b842eb137addae96d3ca32c271452f48623826
53fba6e1ef60fe23bd2df7d537c5352dfc391254959231cd075dd5a50da83237
bb436d503079bbac667d0c57550192623e42e4af75d7587d334ee8ec15d39713
df6b61101ad7cb07080bb73bc2d20f468f06ae26fe34a7f1f5bdd03d374b2012
259c47ab16c971fb48d20325e83c847b80a736ad9d442b057a8ee6ba9801ffe1
89950d2f000b2308b316435f54e2e0bb1c3fbcf2205bc8a1e50282817a89c34b
5087536f13e659a886966756b55ba16bdb9dcc9bfea08a2fb7cd9ad88c2caca8
http://homengy.com/wp-content/o6ba7c1/
https://www.whpipe.com/wp-content/9wi8947/
https://g-rolled.com/wp-includes/jmci4575/
https://larsyacleanq8.com/nature/gs02705/
http://indievisualent.com/z76834/
Creation Time 2019:10:07 13:14:00 (Attachment Only - Doc based - Protected View)
SHA256
7c004410baf583625f6eb722ebfbeda91729f5abb47db43caa6ce776c28da1a2
4cf6479fac00f6af1fe7f1ed08dae363a180101cddf4ae1d4ac694fd4654347b
b51c95d1f852998ef04958830d10b3b07fd17aee8edcda775424bf0bfb767ed8
43bd5f9be15730b23647d0e7bab49201d95611aaccbf3f8691b29c15188eed0a
a3bcc791c70b3f5f2c58e08969db159b20d2ac4302f8b4dce480f88929427033
ecde0ffef856fdc00cc403b29cce465bfe79c4e550eef9f4031817205b6c5780
340ef2124fa1a4357608d22e0e161d25ff675c5994d6567d99aa5abcd4f48fc6
https://www.tenangagrofarm.com/wp-includes/y5xap6y12/
https://blog.ahoomstore.com/wp-content/uploads/jhncm1/
http://nekobiz.ikie3.com/wp-includes/2w52077/
http://www.travel-turkey.net/cgi-bin/stc763922/
http://prewento.com/imageupload/der1d3/
Creation Time 2019:10:07 11:50:00 (Attachment Only - Doc based - Activation Wizard)
SHA256
a63c5b501713f33599d706c73d4b24a68fb858b0a9556dab74d06120c1de2847
234acd41dec8e74f73f9bcb1aedb41d914a8bde5a0f1c80565c80dc059ad4d3e
8c56d65fdbb53d190290b199b0760a0d60d5dc74d5fc127da465d6132767d2c4
8b22718428803f99aa14aacd4951fe87296e4b96dd8dd12dc1fef5c0787d520b
ef61a2648361f0b6f6491180b30bccb6ede73c308595826665b3c205dbc00206
9d11550c2732fcefcc3024f79e6d03a9ce2bff7e87947ce4973c715edd9edb22
16d7e7c51a61fc80d52f446abc0dd6cee74ff3f05beef78b072b462535f3744f
83a7a57b21575b206b0a0995da02b414a3bb073d73205ae858506be50a60d69e
60b379ca467dc3655c0d833046dbb869669e777b44f34f4a44ee149637750e19
https://www.materialsscienceconferences.com/wp-admin/l21/
http://huisuwl.com/wp-content/x9/
http://umbastudiocom.ipage.com/wp-content/zzl31/
https://nosmenu.com/wp-content/ls0mzew7507/
https://riyansolution.com/b1ecbx/snaemb293/
Creation Time 2019:10:07 06:19:00 (Attachment Only - Doc based - Product Notice)
SHA256
33e3107535918514c6f8fccc6c3eb2a5f9534b41938df35c64dbff8b59dbb6f3
af5da5397e37397869534afd4b590b98e88bf3f49962baf0aa755d0adc70aa3d
ae0c80ecd6ddba1d1019d90e85640a53c8148dc41321b526b6aa1edfe5110cfd
8881ab3059e02105f8a891ab9110d3e6e0000fa55a5cb148a230d75b06e5c503
2bcfdca1c82e127573edef700e225a6d949b1683df533d11955dab7005edbcc1
96fbcca08efc60e45d06425f284aecbfe4610a2db33f37a3fbcdccfc970f2e31
5b64bcd76407cd83448ebb88499d070204a3f12f2d08bea657bb475f4e3a768f
43667b06ceb239d1b6ca3cf98fb646c80c973a04ed9048bf5faed6456a9fc3dc
c52d2f889d304ea354d8ed87201b4e80b3f455f2de03d97374ecd50628d9f713
0bee694a0f57d985842eac299c855abb9f9e07ff453f797f92dd3e92e6999408
78ff0afa7b78a409aefa46c0c536f2d0149ead7c9ea0409a45617bcf84e7ec83
a630402c0385bf73f66cffe715a8e8dcbf884b6e52fb6473be3ca400c3e4b847
5760d7db20c3e1574ee24e77e8e15ed0812c9f7d5847631116f2c6e9508f515e
http://efectivafm.com/wp-includes/fde9lts8/
http://www.thepartnerships.com/lwyqoup/ikl1423/
https://techecn.com/installl/41v4ggw7075/
https://dahuanigeria.com/cgi-bin/635/
https://capitalpremiumfinancinginc.com/cgi-bin/v53/
SHA256s for Epoch 1 Payload EXEs
85155fc717040df9d7f7ccec1da006ec83a75c766124db5892459716b68350c8
82d52d986f4a521f16e0a8e7657a61871fc0c7f4c319abb7cf5dff48392facd2
7e4c8d28659bfeab8df2557d890ef38d6ad0a6b6aa0b48501a7268907c6e188c
224f9ca9a8c26292e61e2143a3c0e47ebbd443bc67991f588f4cd3073ede3d96
b0188b12fd225045e3fc67251304640c23b3d4b7773abebfe7e63ffe7904170b
Epoch 2 Payloads by Document SHA256 - All Times UTC
Creation Time 2019:10:07 16:37:00 (Attachment Only - Doc based - Activation Wizard)
SHA256
d6d69d99fbcfa398e8b49f3aca68cf0c0000aedd578ea9a505e3161f1b10880f
7b32edef92bebe3b63ecb39c00062d383560de5495c5aeb19828dbd7555b4aea
7546d3b8c6b64616e0a42526346ae3543ac7a18aee8d5e5404df53fdd1bb0740
http://theinspiredblogger.com/ybcbnb/aw4u7hh2q8_85ugx8l-951/
http://annaspetportraits.com/wp-admin/bLVkHdUKqR/
http://targetcm.net/wp-includes/jzStQVxd/
http://www.essayseller.com/wp-snapshots/BHYISqZIIA/
http://blog.gormey.com/wp-content/uploads/PzJrVsIf/
Creation Time 2019:10:07 11:38:00 (Attachment Only - Doc based - Activation Wizard)
SHA256
dd007df90f91857a9efe65008cf015f7955ff05a5b243017e4931087f5742355
4ecbda3564d9501a6e158c1e4c5a8a7087cbba24bda040d9bfc8d523139f99f1
0745563318f98209167474cc7e25b624192bb9af4271387c812fe354e7efc6b4
fafd280d01f2753a6fd019608e6661616923ebc9a86992bc2606ba0eab1b38eb
7cf40ef2a3150ab086053dc7c649ecf562bbefca05bde709396e99477fad8a17
36a3000fb33715ad80423eb14d7c98102eb221da82a08f8f63193bb1551c99e8
298e9eeda06cc6a84574a39ee4b1f434bb0292dd622804924fd188f0f838a2c5
93b3e0153a69f4739afc92e8c4641e5c626b773657815ac9cb3c1cafc84552d2
3c8a5496dad32fedf5533c431ec0180d30afb5c3fe2c81ddf2a80696a0634849
c5cc7866dbd17eb139626de5a1828752006ba5208097cc028f4670f32d8278f0
80a20cc187063ebfd0d9924d72955f4b0105e13ce7e7cb41619aa49834f5ab26
c6e5dfb7b5f553b59d4cf28500b6f827b0e85b68b4aaa702d7113447b691586c
c552caa5768e7b28a5dc1a51a0e9592d2507de420b2a524f01546ce81fa89143
dc08f6e6960444bdb97c93f7ac2692b8e8bda7bd54596d1fecdecdd832870191
de1ec9b1a1288be8453cd32c2b00e38c7f84960e0aef623ef242e97790574782
http://dulich.goasiatravel.com/calendar/u8hsm_46c4yi-6024747470/
https://drewnianazagroda.pl/c0nm/PtlOoIWOzs/
http://latestgovernment.com/pramodchoudhary.examqualify.com/CKBOIhWtjs/
https://kurumsalinternetsitesi.com/wp-content/wgSCKDClY/
https://edealsadvisor.com/wp-includes/ZqLAroEkK/
Creation Time 2019:10:07 06:34:00 (Attachment Only - Doc based - Activation Wizard)
SHA256
0bbbb9d6c39b4fa5f12ba19927fc2193b144393fef1c47597973e33f04514fb2
3a5a34b8b790df6f99d24e192f500a53e80a8fbfe0c35b0300ebece07cd1af42
b7d913c3ccd02180dfcdeea70b1505829031127da2113d065c893af75dddbffd
b878bfa7f218fbaffaf5de6f79a398fd15028e54eabcbcf4a6c87eeac4789d03
ffbc2fbe17cdb5c6d1dc55c1ff827b56d6f9b402c63e32fb1e707f9dd1baea77
1e747a6ca9703ab5f19733755f9b74d40f8a1a994d7efca3e2e8bd8f0bfcbb81
b8304a5c5cd67ea70c8438748597f1eb650e5324d323f1a325718fdc915a5121
01cd821b738b22be573184af74a8034360ce5ffdc9d76f2e74cb7a351d039422
6fb1d34d00ead5e7ba484226d85525bceda324272321a935136377dbe2afee45
9834b38932afb035fa3c0cefe99fa6444decd589316269113c2998fa59df83b6
9e1f1967dac9cadecff121dbf3cd7cf92b84edf0893e91d14c82c9e33c35e5ee
https://culturalmastery.com/mt_images/5tmgbj1n_if3jvr8-1687116/
https://crismarti360.com/wp-content/HHNQNIuArp/
http://www.nurturetherapies.ca/stats/goNJYfLJs/
https://encplaza.com/wp-admin/nfhsp5mf98_qntcum3am-0/
http://luatsukiengiang.com/demo/3w044meix2_d7e9oorz6-86962902/
SHA256s for Epoch 2 Payload EXEs
bba060e5e798cb68bfdc07b04d045b0aec12dbf427593c9643b7a22403138340
16d007d650d117c68da005747378f16cebe820e75a2565be70602fad2cb6e1fe
10437ba864b8d797419eeaf8d99717aaf2a96499f375d9ee2903803c0a5908e6
26e6336dd5210c84e4e64f6590d7169322886591fde13fe158cd310305ad4f7a
4cc2af78a3fdbfb10a78bdaeb14fd8ce7b697905b9a3a595c868fcd458c66285
Epoch 3 Payloads by Document SHA256 - All Times UTC
Creation Time 2019:10:07 16:44:00 (Attachment Only - Doc based - Activation Wizard)
SHA256
47fc488125af027fde9a62890adfa52126269aafa5403f5340bcce3b8900b30b
3ff6760d584298e8c6a835bd47624cad2c93dd88ea4145c2b2c2c6dffbc2b30c
0d60ba298257b8752b2a4c7ff2265ade0f713632bcec4b6ba14e9a68f9509765
22a929526dbef523682783b3c00f185125224ceac893fa997212c6588cac3923
997e069464701e224c78aafca002035d0b364fedad95cd3f380eb1e0581dcfcf
63ea5e11be65f7a02f5de2fa28486e83183341b45d1614865f789bc4ac5f580c
3ba1270eb0c11c02900dd59bec9ea257ae2053cfd4fcdc9f0181637c3dbae0d9
http://www.stepsofcoffee.com/wp-content/SGEAGP/
http://ndit.ca/GoogleSpeech/kf625fs-y8s-750783/
http://www.splitrailtickets.com/css/p6zkmfw5c-ud55h-438693720/
http://casaderepousosantoandre.com.br/cgi-bin/mtkc3r9onh-1rz-027871245/
http://scoalateliu.info/u53ny/q9e7j95roz-bxukb3j-27949/
Creation Time 2019:10:07 11:57:00 (Attachment Only - Doc based - Activation Wizard)
SHA256
7e134ad6bdd7faf38902afaba92347091b3d6d025cd2bbc9925999bfbb62d7d3
http://stavixcamera.com/v8tlpmdq/itsg9mpn-w48z-6281538/
http://nhaxequanghuy.com/wp-admin/eQqpVhlL/
http://chuyentiendinhcu.vn/uzfg8i2/eLlmVmDLL/
http://co-art.vn/wordpress/xSaFqanl/
https://hope-hospice.com/wp-content/2dp-4b51k6m1xs-3414761/
SHA256s for Epoch 3 Payload EXEs
b6023a3df41ccaf6efd29754c13bb8495037f44610512f923a50156cf3742608
cc018d290cb53559e3800484a931c4ead575807052a2b24b1e584067fa9f1b95
3b80ffd62ee699ec00a5ebdf53dac8abc2ad7647cf69699849f27f15c9527a83
34ddb9c6c3a0db856777b7942341bba22fc92267a4f71f6b87a9433617e49214
C2’s Per Epoch
Epoch 1 C2s
103.31.232.93:443
109.104.79.48:8080
109.169.86.13:8080
113.170.129.113:443
114.79.134.129:443
119.159.150.176:443
119.59.124.163:8080
119.92.51.40:8080
123.168.4.66:22
138.68.106.4:7080
139.5.237.27:443
142.93.82.57:8080
149.62.173.247:8080
151.80.142.33:80
159.203.204.126:8080
170.84.133.72:7080
170.84.133.72:8443
178.249.187.151:8080
178.79.163.131:8080
181.188.149.134:80
181.29.101.13:8080
181.36.42.205:443
182.188.39.68:80
183.82.97.25:80
184.69.214.94:20
185.187.198.10:8080
185.86.148.222:8080
186.0.95.172:80
186.1.41.111:443
186.83.133.253:8080
187.188.166.192:80
189.160.49.234:8443
189.166.68.89:443
190.1.37.125:443
190.10.194.42:8080
190.104.253.234:990
190.158.19.141:80
190.221.50.210:8080
190.230.60.129:80
190.230.60.129:8080
190.38.14.52:80
190.85.152.186:8080
200.51.94.251:143
200.57.102.71:8443
200.58.171.51:80
201.163.74.202:443
201.183.247.58:443
201.184.65.229:80
201.199.93.30:443
203.25.159.3:8080
212.71.237.140:8080
217.199.160.224:8080
46.101.212.195:8080
46.163.144.228:80
46.28.111.142:7080
46.29.183.211:8080
46.41.151.103:8080
5.1.86.195:8080
5.196.35.138:7080
5.77.13.70:80
50.28.51.143:8080
51.15.8.192:8080
62.75.143.100:7080
62.75.160.178:8080
68.169.49.14:7080
68.183.170.114:8080
68.183.190.199:8080
69.162.169.173:8080
71.244.60.230:7080
71.244.60.231:7080
76.69.29.42:80
77.245.101.134:8080
77.55.211.77:8080
78.189.76.2:50000
79.129.0.173:8080
79.143.182.254:8080
80.240.141.141:7080
80.85.87.122:8080
81.169.140.14:443
81.213.215.216:50000
86.42.166.147:80
87.106.77.40:7080
88.250.223.190:8080
89.188.124.145:443
91.205.215.57:7080
91.83.93.124:7080
Epoch 1 - Spam C2s
5.45.108.146:8080
45.55.82.2:8080
104.236.185.25:8080
Epoch 1 - Stealer C2s
66.228.32.31:443
198.50.170.27:8080
216.98.148.157:8080
Current Epoch 1 RSA Public Key
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOzoTryw1r9RxRJPFKalO4+q7JaDZWSB
KZlEc22H6ITuE06tvJspue42TF1yk8xN+1bqW++QeV6Clm1uRswA/qoao/6p4eN0
h4zIO8PEaJ0C/9EO4cx9yfRLlVpjdEkP0QIDAQAB
Epoch 2 C2s
101.187.237.217:20
103.255.150.84:80
103.97.95.218:143
104.131.11.150:8080
104.236.246.93:8080
115.78.95.230:443
124.240.198.66:80
136.243.177.26:8080
138.201.140.110:8080
142.44.162.209:8080
144.139.247.220:80
149.167.86.174:990
149.202.153.252:8080
152.89.236.214:8080
159.65.25.128:8080
169.239.182.217:8080
173.212.203.26:8080
178.254.6.27:7080
178.79.161.166:443
179.32.19.219:22
181.143.194.138:443
181.143.53.227:21
181.31.213.158:8080
182.176.106.43:995
182.176.132.213:8090
182.76.6.2:8080
185.94.252.13:443
186.4.172.5:20
186.4.172.5:443
186.4.172.5:8080
186.75.241.230:80
188.166.253.46:8080
189.209.217.49:80
190.106.97.230:443
190.108.228.48:990
190.145.67.134:8090
190.18.146.70:80
190.186.203.55:80
190.211.207.11:443
190.226.44.20:21
190.228.72.244:53
190.53.135.159:21
192.254.173.31:8080
199.19.237.192:80
200.71.148.138:8080
201.251.43.69:8080
206.189.98.125:8080
211.63.71.72:8080
212.71.234.16:8080
217.145.83.44:80
217.160.182.191:8080
222.214.218.192:8080
24.51.106.145:21
27.147.163.188:8080
27.4.80.183:443
31.12.67.62:7080
31.172.240.91:8080
37.157.194.134:443
41.220.119.246:80
45.123.3.54:443
45.33.49.124:443
45.79.188.67:8080
46.105.131.87:80
47.41.213.2:22
5.196.74.210:8080
62.75.187.192:8080
63.142.253.122:8080
67.225.229.55:8080
78.24.219.147:8080
80.11.163.139:21
80.11.163.139:443
80.79.23.144:443
83.136.245.190:8080
85.104.59.244:20
85.106.1.166:50000
85.54.169.141:8080
86.98.25.30:53
87.106.136.232:8080
87.106.139.101:8080
87.230.19.21:8080
88.156.97.210:80
91.121.116.137:443
91.205.215.66:8080
92.222.216.44:8080
92.233.128.13:143
94.192.225.46:80
94.205.247.10:80
95.128.43.213:8080
Epoch 2 - Spam C2s
69.43.168.232:443
185.187.198.4:8080
46.228.205.245:4143
Epoch 2 - Stealer C2s
46.105.131.69:443
176.31.200.130:8080
104.131.58.132:8080
Current Epoch 2 RSA Public Key
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhALk+KlHgOKXm9eDkWu2yN9lanjwOm6W2
PV0tgr4msNVby2pOJ6S1MZQnQwxl7y6WWzT4kveAQhLmW8JB2M2PDOxZOgVMJH2C
AtkVW1p/P9jNJWVvjK9SmrbLdIeiKNtRfQIDAQAB
Epoch 3 C2s
108.179.216.46:8080
110.36.234.146:80
113.52.135.33:7080
125.99.61.162:7080
138.197.140.163:8080
139.59.242.76:8080
143.95.101.72:8080
173.249.157.58:8080
176.58.93.123:80
178.249.187.150:7080
181.113.229.139:990
181.230.126.152:8090
181.231.62.54:80
181.53.252.85:990
181.57.102.203:8080
181.97.70.132:8080
186.10.16.244:53
186.139.205.130:21
190.13.146.47:443
190.55.86.138:8443
192.241.220.183:8080
200.114.134.8:20
201.196.15.79:990
201.244.125.210:995
203.99.182.135:443
212.112.113.235:80
216.70.88.55:8080
41.60.202.26:22
5.189.148.98:8080
51.38.134.203:8080
70.45.30.28:80
78.109.34.178:443
78.189.94.99:8443
80.227.67.18:20
83.169.33.157:8080
91.109.5.28:8080
93.78.205.196:443
94.177.253.126:80
95.216.207.86:7080
Epoch 3 - Spam C2s
162.144.47.94:7080
41.185.29.128:8080
Epoch 3 - Stealer C2s
178.32.255.133:443
198.46.150.196:7080
Current Epoch 3 RSA Public Key
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAM426uN11n2LZDk/JiS93WIWG7fGCQmP
4h5yIJUxJwrjwtGVexCelD2WKrDw9sa/xKwmQKk3b2fUhwnHXjoSpR7pLaDo7pEc
iJB5y6hjbPyrSfL3Fxu74M2SAS0Arj3uAQIDAQAB
Credits and Notes Section
WARNING - Some links may have been taken down shortly after I reported them to URLHaus.abuse.ch
because they rock and report everything to ISPs as it is confirmed to be malware. Additionally,
this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
https://pastebin.com/u/jroosen
NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
I am providing them for your benefit in case you want to parse them to be sure.
What is Epoch 1, Epoch 2 and Epoch 3?
(09/17/19)
With the find of Epoch 3 that split from Epoch 1, this section will be rewritten to reflect these changes in time.
Community Lists/Samples
https://twitter.com/wwp96/status/1181196494411616256
https://twitter.com/Lvanoel/status/1181080496706609153
https://pastebin.com/u/paladin316
feed of module hashes
https://twitter.com/EmotetIndian
(sorry if we miss anybody, make sure to send it to @cryptolaemus1 in your tweet and we will try to include it!)
Credits
Combination work of the Cryptolaemus Team - https://paste.cryptolaemus.com/about/ and/or specifically the following:
Doc DL URLs - @devnullnoop, @p5yb34m, @malware_traffic, @dms1899, @Paladin3161
C2 info/RSA Keys - @devnullnoop, @MalwareTechBlog, @lazyactivist192, @VK_Intel, @Paladin3161
Payloads - @devnullnoop, @MalwareTechBlog, @lazyactivist192, @TheHack3r4chan, @p5yb34m, @malware_traffic, @Paladin3161, @ps66uk, Anonymous :)
Spam Templates - @devnullnoop
Special thanks to @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and
helping out with this!
Very special thanks to @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project https://github.com/decalage2/ViperMonkey ,
@digitalocean, @mploessel, @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch,
@urlscanio, @BlackLotusLabs, @TrendMicro and @Virustotal for providing services/software no charge to this cause!
Daily Log 10/07/19
General News
Drops Report
ursnif/dreambot
https://twitter.com/b4rtik/status/1181117632445140993
trickbot
https://twitter.com/malware_traffic/status/1181211540634177537
Email Template Report
DOC releases:
E1 ModifyDate: 2019:10:07 06:19:00 CreateDate: 2019:10:07 06:19:00 efectivafm.com
E2 ModifyDate: 2019:10:07 06:34:00 CreateDate: 2019:10:07 06:34:00 culturalmastery.com
E3
E1 ModifyDate: 2019:10:07 11:50:00 CreateDate: 2019:10:07 11:50:00 www.materialsscienceconferences.com
E2 ModifyDate: 2019:10:07 11:38:00 CreateDate: 2019:10:07 11:38:00 dulich.goasiatravel.com
E3 ModifyDate: 2019:10:07 11:57:00 CreateDate: 2019:10:07 11:57:00 stavixcamera.com
E1 ModifyDate: 2019:10:07 13:14:00 CreateDate: 2019:10:07 13:14:00 www.tenangagrofarm.com
E2
E3
E1 ModifyDate: 2019:10:07 16:32:00 CreateDate: 2019:10:07 16:32:00 homengy.com
E2 ModifyDate: 2019:10:07 16:37:00 CreateDate: 2019:10:07 16:37:00 theinspiredblogger.com
E3 ModifyDate: 2019:10:07 16:44:00 CreateDate: 2019:10:07 16:44:00 www.stepsofcoffee.com
Link Regex Report
Waiting for more the next few days IF they come back.
Payloads Report
process list - executable names are built from these based on client characteristics
engine,finish,magnify,resapi,query,skip,wubi,svcs,router,crypto,backup,hans,xcl,con,edition,
wide,loada,themes,syc,pink,tran,khmer,chx,excel,foot,wce,allow,play,publish,fwdr,prep,mspterm,
nop,define,chore,shlp,maker,proc,cap,top,tablet,sizes,without,pen,dasmrc,move,cmp,rebrand,
pixel,after,sms,minimum,umx,cpls,tangent,resw,class,colors,generic,license,mferror,kds,keydef,cable
EXE releases:
E1 - 5 drops between 08:00 and 20:45
E2 - 5 drops between 08:00 and 20:45
E3 - 4 drops between <12:30 and 20:45
C2 Report
86 combos on E1
88 combos on E2
39 combos on E3
E2 C2 all went silent ~19:00 UTC, still quiet at time of writing
Closing
TT
Sandbox 10/07/19
E1
https://capesandbox.com/submit/status/2424/
E2
https://capesandbox.com/submit/status/2426/
E3
https://capesandbox.com/submit/status/2427/