Emotet Malware Document links/IOCs for 10/08/19 as of 10/09/19 00:00 EDT
Notes and Credits at the bottom. Follow us on Twitter @cryptolaemus1 for more updates.
Document Downloader Links
Epoch 1 Document/Downloader links
<none>
Epoch 2 Document/Downloader links
http://awgpf.org/wp-admin/LLC/dUDBARshweY/
http://blog.safary.ma/fwl503/INC/vEVxmeCyUmCQtogaMolBfygoR/
http://clients.siquiero.es/hizv5v9/paclm/afcse9eba1qsn_owbo6-69170965/
http://ctni.co.uk/wp-admin/esp/bBItbZBcBQOoEwafxb/
http://decorstyle.ig.com.br/wp-content/languages/Scan/za7w63pg79e_f4ia5-01669369/
http://disdostum.com/blogs/lm/khtnAGvipOpDnzbCFMC/
http://earthpillars360.org/vgok990sf/cavTByhbMbs/
http://emilrozewski.pl/emilrozewski.pl/INC/o2i1pmac2kkr5bo5mx2nl2at4_6dc3fvvq-66548834332/
http://gonouniversity.edu.bd/sociology/lm/InNCDfrRIDqnLjHrOFEhBGhRGFQsX/
http://hurtowniatapet.pl/wp-admin/zqVHnvSXXoiFCasKkuFaUg/
http://infraturkey.com/deletecomment/parts_service/daaMnHeDzR/
http://ismashednc.com/cgi-bin/z551rm1hmrv373_e8hs2-7538061518636/
http://kbkevolve.com/wp-admin/zjmxgadhuv4pnbzp7ynpdoik56795_gwb8z-673046389663526/
http://nuevocorporativo.canal22.org.mx/wp-includes/s0r6nqec8g68xjnbfnttar7_t805e-24701676/
http://ostadtarah.ir/wp-content/paclm/MpIiyqCdWrsLPjbMjiDqBhrZOq/
http://overwatchboostpro.com/ynibgkd65jf/sites/2bmfkc0j7qe8_58yyhd4-3344823406/
http://parscalc.ir/academy/RKWgiuSOZGpFVpIf/
http://peruphone.com.pe/5hdf7b2/DOC/XGxZhPXkNKqiiGFnKeIH/
http://taskforce1.net/wp-admin/paclm/b33w806gu34ln6s_o75jzedoh-7204931873/
http://wizard.erabia.io/cl67i3t/Document/HcRzSepVgfWLviFFzMVzUFePbuvUH/
http://www.bresbundles.com/hunwdgi/esp/vml11lb8y0nqu244jmd1ulfcj_533mn-795717924/
http://www.earthpillars360.org/vgok990sf/cavTByhbMbs/
http://www.elibdesign.co.il/wp-content/yKiXqyQZcygxYAAKT/
http://www.endeavouronline.in/cgi-bin/3ag3ls9kvd4ot6j1njug1nq8k_2v9rsq9-5699212626798/
http://www.goaribhs.edu.bd/wp-content/A3F9NVJS9BB3F/NMCmgnzScSetktYTdGLDfyPsqZEleA/
http://www.lavinotecaonline.it/wc-logs/yHlKCeOlqUfc/
http://www.omniaevents.co/wp-includes/LLC/im4r213qj3jgqq04kcp722irmm_n7331-313199097437/
http://www.saleemibookdepot.com/hpkikf/LLC/fqj2uihuh9te8_bculdpib-726470310041/
http://www.salviasorganic.com/license/INC/0fbsvvw1uzkhc8nf4x8hiqoa7obf_8flumf39v-3657734246364/
http://www.sweetpeahaircollection.com/sssu/FILE/lnnet2pb1tnl5rl0onl4gy_8vehv5y-920842041/
https://ctni.co.uk/wp-admin/esp/bBItbZBcBQOoEwafxb/
https://ecklund.no/pdf/NS89IQMMUCSS/jFcOZtnMxKGeacejiwMwAlDzKeQNGa/
https://iglogistics.in/sitemap/sites/ycfxuqsv_ay7m3lcrv-140179245879158/
https://medias.chavassieux.fr/ithemes-security/63jgcgvb8jr68pcwazhl5h1smav79t_yyckjzwlc-316327566722032/
https://milwaukeechinesetime.com/function.cheese/vHmHUDKXBfcgYtvnXicxWt/
https://norbertwaszak.pl/tmp/LLC/BQpvwHGKCQDvKNpfIGhqse/
https://parscalc.ir/academy/RKWgiuSOZGpFVpIf/
https://roshanbhattarai.com.np/audio/LLC/0yxb1xel1ydl_nve0nvqu2-4052856905/
https://www.bresbundles.com/hunwdgi/esp/vml11lb8y0nqu244jmd1ulfcj_533mn-795717924/
https://www.earthpillars360.org/vgok990sf/cavTByhbMbs/
https://www.elibdesign.co.il/wp-content/yKiXqyQZcygxYAAKT/
https://www.kairod.com/wp-admin/2mnbyvwluikqcptooc6zgqi5x_n0iovu4-89107313/
https://www.nxn.one/u3pgsx/lm/ja4cwgjfnn3d1pay5s2ltjk8_qije8-44560606469579/
https://www.sweetpeahaircollection.com/sssu/FILE/lnnet2pb1tnl5rl0onl4gy_8vehv5y-920842041/
https://www.zhycron.com.br/admin_ldown/paclm/TrZdUfcnfIvF/
Epoch 3 Document/Downloader links
<none>
Payloads per Epoch by Document
Epoch 1 Payloads by Document SHA256 - All Times UTC
Creation Time 2019-10-08 21:38:00 (Attachment Only - Doc based - Product Notice)
SHA256:
c84664a344e771be41969912556336d2c897a4dd251d26eeacac6bc5fc319e65
2bb1527ada1ac7fce2025798130e3ac21a83e0ebb27e85d281d89a07f87e48ef
https://www.skullbali.com/bk.wp-content/311/
https://aceontheroof.com/i0oni/gzx5550/
https://aaplindia.com/harder.inc/odw8xth96/
http://cheematransxpressinc.com/wp-includes/shm5djl4638/
http://www.dgxbydamonique.com/fr4jt/cache/init.upper/h8914/
Creation Time 2019:10:08 18:28:00 (Attachment Only - Doc based - Product Notice)
SHA256
76ef4c5e6b2d96ff9992ab0d9dd1c8d6c0e48c2f48e8ab5337244d7e4e398d59
4ba60a908543cc1f480f87434465c287ac01aa59fb8ee0624bb7afc95b40976c
4606cded1cd857878be98306ae150c475140628faf97043dad10b55109dae430
22786a80be851c33176da8bdcb875dba920504e746ab613b72e8d19df3b49207
f77a7fc2633d5ce15948a5bd43728d4d81ee760683e04c0dabd853fccbe4064e
5a64821814566d26f15e3e0fd920cfc693f14c0d173ec9317365d9198a40b789
5f6d4bd72bb15c1a031d7222594711e4d5eeebd4a61fae15d2cbeb57bd60f42c
e6dd9f9f3fde62281e294f157e382eb3ed5f991c011ec01f81d5b2a845d4a101
http://www.denedolls.com/wp-content/upgrade/oghujlu568/
http://www.divinedollzco.com/wp-content/upgrade/sl3d205/
http://www.exquisiteextensions.net/5kjc/cache/8so9319/
http://www.reviewchamp.net/wp-admin/4394/
https://fayedoudak.com/cgi-bin/2iz3/
Creation Time 2019:10:08 13:47:00 (Attachment Only - Doc based - Activation Wizard)
SHA256
09e3f1ff1ec66936904a806cf06813299f6c384b992a602cacb705685f75a8ff
dfb1e346662ac3ae6cb9e65f2f1a0fc1e5e3aa3a0ff21192f397da5a3b728546
d1ef500a7b1aff742788631513009ca71d0906eb08727d97147d4c96008960b1
5117c58f361b830d502545c2077b8a29278338beedc2efc16ba4edb4523a4a0e
96e7ce575a722ebc6cf285358a0005416b9f505bd600d5379eb49a8df6e99cfc
8f9be82007620f3680a644ca679aa300ea74f521291ae234a64538b8cd2e3040
6ff109f90f476cdeffcfa71dd381b88e3185ebe748e780e73445927884c48c54
e53f55229f9aee823651551b00003a8c59848c34f58b1280245bb5db39e9826a
9ff35a3741e7fb9f0474f526ef078b4ff15f99573e048750e7a9870925d2892c
004903745336e5147226d46758defdb972f22e307160a0196915b7b013c24e58
e51373435a0f464a47bf3a4de14dfdaf827e226074bc20eac97f911be073b0a2
58d5550f324f0d5463564ccff185f054c30f0ab66942f7e7e3cdddde7faf1b82
aaf885e5ed3829808e0835936ad42368ed03a628283650d1d72fa5151fecbf5e
c12361239e6ff1a51e08bbf75e348de338134646a3a19ac3df69bd9a581578af
55e848d4e413c3d55c37d40bed6a313dbe5d7297f11f6104518de94a3295b021
http://suse-tietjen.com/wp-admin/u442/
http://www.vanilla-extensions.com/wp-content/0hb3292/
https://sahajanandmart.com/Android-RecyclerView-code-generator-master/hba97650/
http://arabiasystems.bubaglobal.com/crm/f8i6/
http://maolo.net/8qv20/73z86/
Creation Time 2019:10:08 09:55:00 (Attachment Only - Doc based - Product Notice)
SHA256
e61d2fe49874eb995cb47c51e4cb2ece281694a6fb721d7eefdd0d7732902b83
9f5bf3feba0b44c527e234b18589d307c224ce14b37633a3609e7eb02a20dd33
8933c0e6c9faa660545f4d5e100cb9fee10aa168f9421f3351709b593f2fe63d
387741d6c128b8f9d84a3590e0442d534632e52f5536999e15fe5a55422a9112
264f266fbaabca45472e491ae814d60fb580b10a9c88c9c15745913b50004c1e
9c7b267f9c013cefaefbaeea7fa1ea3303d605791dbe48d12f06b000ca6a491a
a3144c9b86feaf93ac583c933262ba0bf0c8dc59b5bc09ac897d4bb57170bcf2
3539d8f2e173735561a612028e02612232317a7cdcce78b4677a6e4a3ba976c5
7e38ca829889fbf67f57d37930a2ae34b469c1c1464d3a865129f3b0242bac9e
042e0cf3fb053e052c8b7adfb2be6b96a313e006ed08a23eaf8ed1e80baec29f
https://retos-enformaherbal.com/wp-admin/ty8c0/
https://georgereports.com/wp-includes/slus46762/
http://scribo-cameroon.com/css/2f3142/
http://junengmoju.xyz/wp-includes/m50168/
http://anjietiyu.com/wp-content/d5256/
Creation Time 2019:10:08 06:22:00 (Attachment Only - Doc based - Protected View)
SHA256
b1b08b80e5eb2f08375f0c7a6cc814e2b500f1110f4a3ab6aa5ee859ff384271
e9d96541c874cad22dcdb71431b313c386ec45672d54354a412b7d65c334b353
6c9b3ccaa6f5d490eb0e602cb85b6a1059bfa18118ad53031a279961480a9b10
93522f9d5dd7e4488ab0797c1d83f3aef283daecd2479ca2f66a88e40a43abf7
355044d564d0ec88045a81feda619cd7d76ceee25bb4ce1b13a1117fb6416d50
3ddb7a79bed76211b93491519a3473c8b84e6fb21777080f5f8c04c68c217078
101c4a5a34a58c6b7186893a04de32f8dd0165510889fa873ea3287c5ba72e9c
97dbd71dc62d6acbd0d1e41d9c82066dd0650e902e7d8fdf5626b9495847daae
86b3be02e700fddaf207643893e364f52a7619bc72e3c0a04df2ba1dbac6122f
4cc2c2c09d03571a111d7e1643eb4ec6540495ba83c738d0f9a1507bf0626597
b9b2e4954a7904934d27d5792292a3f00694faa16494d3efc1062ffd0a532779
979223117d4ce4eacdc30a4e87c519b9a87a7507a307dcdcef2d0da5448325e5
091856924e5c1c3c2503b1560dc0255ef1d2c4fb17095225a6184d00525437ac
238f3102d47c8744f86edcd268c1c9fe260c9b5ff547872b2ce6d376f5ba8d88
9b87c9414666aeb43933db2208588bd8a3853a969a08b38e03f2674366be0af4
2ae0f71b14bdda233b42e00879c88c419c466002f634e576648053c63ed388f2
8012b3c9b6f181878b569add8cd98257486487eaca0f6cc92f4433ec73b61f12
4ab4140a716dd5553bd084ea24062d14948ed200ce794b58e886492e8aed43db
https://halloweendayquotess.com/wp-content/5o40y5w7760/
https://pentechplumbing.com/wp-content/ovp35378/
https://joangorchs.com/5tvk/gy6154/
https://physicaltrainernearme.com/yabu/9xnjf4183/
http://yensaogianguyen.com/wp-includes/rp802oi00/
Creation Time 2019:10:07 21:38:00 (Attachment Only - Doc based - Product Notice)
SHA256
565accdaa30ecd3ee09cf5ffcfb28a941a35ad8b85b8a174478caf9fa02fca13
13c6abc718f08b6fa59813fc62dcc3c8eae62d89c430b5e8b80a2683da93e4ca
706d6c8d6a1c6a5a4b48f373fcf08b42900e0d19ec558a59778e7d7998ffaaec
55004ce3122e1c50902978e57a9ac04c211e1ac9ac5391daeccabc2a453817f2
67e4943ef8826325d01d6e076ab404f82769ebac651265087619b844803c7234
c4898b54830c2fc8f6d19b1030f545826de52927dc0636e525a95ecf74c0ecf8
b7d0a0a3e852bc0f35c3808ee61bb38e953a95bc599f1e8e9d99e6f54b078561
08d5cea1dae8c4c59758c50afd5bb3a15bf855bec29c3c9ba0c3818551306bb9
6a34d6c923698fb5d00d62cfc6278a5a8d5184b62c4d43bbb095f1d120982d92
2670be25f7b3dbd3412cf41188e844fb7eba1a12c472fd1b47c780c6b1801500
869e03adb7f76845e98af484c5ebea2977ae220b629d031d4bdd737c515d2f2d
902441cb72c2fe170c7d7e15b4357ffc7124245354272d4b9a33be1f63f26578
7b9df8530c0d7af5ba382179a31269ef2df7fbed52aa5ffe1321b9c869a3eda7
6ac7095c3d3064078e4a49f85da7ecb39cf358e4c3ebdcf257820caf883868f7
64d6c044ec17d331d20257ca8bafd35919ddce3e868c6feaf66a26c8724357a7
6cff812d845f1514d0827c1f4fd49524f668d362f5d94c23c15ca835a80016fa
78812d6432bfcadff5b05498870aaa3682aee7e7d6c094c8c4f7adcf67b1b676
9b6073ac8279fcbfdca106cfd26c07fbfa2b099d2ad20aa13b7b29d2bb51c99b
84c1559f749859f3ed107b45bbcfc30766721f2d9f8b60c2b89bf244800d30a5
4d04802476cc425554b3b058e96e9ae75e96837c0b54df54e9fdd4432aeb85fa
fa8e0da0177dd895d75ff09dc95a5d607258bc18f29116d78beb3081c96cbbfb
5ac269a21b049768d69ba079d88ae0eb1aa2e21802a4f1c3194ef4fb1cd54c98
e0ce302f51797ec57a1e7ffaa10989a92eb6578a75b572aa8c2f2dc4ddb6d798
4fa9fb02c767f4b548ad305e01fee44b837edc5d7a795048ad08baf3cc688697
1a2e298202890a73aa5296cf2889a2894faf4abfe73bde35c7bc0d46b7c22d73
7fec8a34bd9f20a430d7fb58239ff02c74d17f10020f1dbb7c818e86eb225d10
ef8e90b64bc9e22c1867ca2f083c5f60eab18ca78af85895e2144260e9cda564
https://milanoplaces.com/wp-content/g50845/
https://wolfoxcorp.com/wp-admin/fu942q6290/
http://mbaplus.tabuzzco.com/wp-content/3v04/
https://www.juriscoing.com/wp-includes/debv8rb82/
https://childsupportattorneydirectory.com/wp-includes/5yg88/
SHA256s for Epoch 1 Payload EXEs
6808bb2428b7b02a97ed9cbf170e1bf1e8e8202200354bb696da4a1f241b5d8f
e0500e097c7d93b3f0d3d57bc239ef376f73e872f1d2971f2054ab36735439fe
5b65d3f6a6930d275e27e073896d642b7de3e4974d43b9086dcba15d11831bb7
666ce592dfd6f4265c7d5c56c48d44ad24f0aa5861b785a39ec63dedf97e716d
9811a33a497366e62bb30d5b08a2e755ac8b25e0a891412717b18c5a09e55bdd
c8edebe8678c48c5fd79479f8db37557c755e0a456a351cf9479d1ff79079991
424d6e0da1f00ddc0bd604692e0a5e7d103f1276e11061bebdbbc046edd5846b
d8c56552e6e122050cadb07cb9b62a61a21c69429462af3709bd78c5d6ab02d2
c0960cf6d1496d13836548bd28c0e8fc05f2779cef4aa8de55afd735ab61e4d3
adb5e93a390f70dd1b4d2cab64b5987e4698e9e11bd4fd03fdc5858ca82e3c9d
87cfbcb7d1bcc3936785ce717649c4de58e058b2626bc882610e74babb051a13
e64d3e2fbc8e3f359a694973381e239e638a69e9dfe00f63eb62ff1c3d07d622
369ff8804c1fafc3bbbc80f030779d99f9d10719d0d0cf02d3eeb42c2d16ffcf
82ed33b3b862b93f1dc880fb4bc655ba24e36dcd59e20e508a077f5346d03d97
Epoch 2 Payloads by Document SHA256 - All Times UTC
Creation Time 2019:10:08 22:16:00 (URLs - Doc based - Activation Wizard)
SHA256
e87bb68914c0ef7b9f18211e433f91bc4a6c4d82eba8436d98dce32167ffc1f9
50d4d9c884c8c505660b74aea5b4b05dcaa370e2dc270d1b9f3dc59c899f297a
45a37122a13d5b02f5bd64ab60e1f9421381738c19fb4a13cb19b51b41a1f88b
bf5d456a15fbe96b05e8feb12b535a70214f5bac3e56e96a20dfcac60b29d006
8b60b7de0518d45996047862812f6641abe43a34cc8c561668bb6259c45ca712
28abf284985f77c70b387fa760ed8854a0114b05f7de24a8fa97920808af0234
5885b3c1fec0db76b168afaa9338cfbf9a7f546adac07d2dec3dac0f8684b6af
d1d4f66f4e00f1a78b7d3738cb268067cbb40d7cbb0f710c9f68596fe3dbaa6d
51583c7646007e7491706c652f15feb0219febdba42ff614beb0cb98a3ba3204
e40f3ef25f436b682659426c4a0090784fba521b368fe0591f88e5bf65c4dba6
751c3b522de8f2045d9ce84096455e30ef73985f618e33e79a39f12284363f88
56b71d9545a14b080ab7eb2036a9b004d693f6190e4b616a2b2bee977152c24e
936259c6c919bd5f3271486b487fd320c443e047af82335b84bc6f533647efeb
8b9f82b44c7fec0426c9adddd0719466f867ac98a21fc5648d87d5df5e0bdb83
0665e059a85f577a38ca57b3328ffcfdd591eda4421aa857a5b9535e7710bc50
541db291479f192cd190e996437b706ee472b08871e4a89bf425a5f77e757054
e428c1e1cacb0cca50c1eec571d89176ce6b4a630cc49e9adfb04e12eb45d31e
d492595de7a67e6c46ff5ae335725a0553ad904a0534ed20bf29b67ece4e873a
4dcae0fae1cbb18f9c0b6c044f79a8d1b86b4343bed077c2c94a8896f7bf4bd8
b66a93c6f054c3dd576b518846ea162c3b490b0214368b9530e4a0e4ac2f5867
b64a15991bce0d746e47a8c7fd6cfca5dc81b323990801076870096762e1ed7d
3740c5c3a725f093c7895d056f6e09e817911f7d0a43f1ee67ed3d06f0a8ce6e
08c30c1f4782ddd30911fae1e23a29f115386454df794dd1ffdde226bacc3aaf
53b342834f0b0477b3cf000d45cb4363814e572a741c8f004377a5c88b8a9a41
bb016b2097482bd176b2f7da455d474f5d9b791e3b8671e4a9c539b25aee45e5
7b0b8d45e3d779abc31f490bd2d955810bc6e10c057206ef0326e97057f84dad
9ac6f2c48c6b6c14edb941ee27e7ffdf436054f2d5351bb6b4285c0857259e85
bc6df43e2f78abf8acae5e072b9dc69411ac1a0147b2b8730863d6f0ed3b9102
29c97acc2777eb6d00e02923cdb120fdaffd0f1f4adf2e58961b5034889d34be
ee53338e4f0083d901a4f16494c53161604654842ef71caf59a7db986ac54d92
b808bc7ca3d26aa8bb213695326842a4b5d26dfa9a8f3a46dfcc283a381c7b04
8bcb2e800ab8e95556dacc816bd7a0d59050b29b5cdc913a54bc8167d84abdb1
d65945fb4473439916daee8b9a277aa3473b8183eecdd37da76b17b8aba61c64
6866dabfb8c2596e95a4b36b70b2d097a618810291c4f7c9faac83a9f5624bb2
23dcead775f62f66bc7033cbb68e30329e5fb095504d7d3a42a1b71453988308
f10e99aae65c36b2a922124f399a2df8800ee000f723007633f809a0b98aa72d
9f8475b622b49ceaa4da6f78c4bf3722ffa560f251b3897af9931ac7a085fb2b
47e2c63ed46a89cf1e49c2e734d47761e31794629a6a60e9f3642590320c49a4
918ea7f950d3688dfcccf3e98140537aa69862f794caa147866381ff41290d3a
2246910bd51fa53ddad6f2e71b323c1223010656a848293539028cee0b738433
http://www.bundlesbyb.com/tracker/wem3_yldu7bdho-3397265/
http://www.crookedchristicraddick.com/b6lco8b/fjJlPxAE/
http://flyadriatic.co.nz/wp-content/upgrade/kNNrBpkb/
http://boomenergyng.com/ejtvcw8t/nnqryau_eicqc-2236624/
https://flowerbodysports.com/wp-admin/LyKaednUE/
Creation Time 2019-10-08 19:09:00 (Attachment Only - Doc based - Activation Wizard)
SHA256
5aaaa80d5d41587dd1f10f00fe87284a2dafb4e223a4b938d8798ae46b762f8c
2246910bd51fa53ddad6f2e71b323c1223010656a848293539028cee0b738433
dc1327d8f801351e82553ff8b6b62d0f5b3da21290a9351fb82d758636ba4f52
a97f0bbbc6396be92690461a19325e3910635ecad17e7392de525cd7ba9e3fc4
5860d6611e227a16a33bc88ceca0b0229f8589b2529494c20b37c662fbbf5616
https://1greatrealestatesales.com/therobinhoodfoundation/5f3tn_ty5y3o-150740682/
http://www.medyumsuleymansikayet.com/yhofles/UUEakcVW/
https://www.stonergirldiary.com/wp-content/t2ukj28t_6v9999efvl-0/
https://abcconcreteinc.com/delete_assoc/fuedRytyy/
https://sandbox.iamrobertv.com/ynibgkd65jf/STaOjpfGj/
SHA256s for Epoch 2 Payload EXEs
0819a3cd3245e1348b0044b9fbc03d7a63449b0454a10baa8dd83c604adf718d
108dc570ca53f3c58723bd9ccc4a9ea521e2f160d658c5ce09fa6ddc4e87afda
e3f941f1ac56fd58b6a11081aa33e46d27e7795438511f71a92e73b96f464ae6
308b8072ffc142d8aeb9e53d05f7c0a77da0ccc9cefbcf306794afaf70775fe8
daf460173fb28788aff06ec8e766d4d58f39819b870ecfc7c9061c8a4cd3504d
ae694cb80da86747b4cd4209dfea162635679c00fe6bf81c5d4a9ea15df18fdb
Epoch 3 Payloads by Document SHA256 - All Times UTC
Creation Time 2019:10:08 21:22:00 (Attachment Only - Doc based - Activation Wizard)
SHA256
47e9b5a0b1186463980089bc086fa67a825ec11f6f59c9f41c3e7baab4f3d59f
16e1a596042ee81b42006b1198e32c03506e8f803cf9faa576f8c2c128a63587
https://quantumneurology.com/c9wpulh/jzb28h8-nb0rnw46-3014549325/
https://www.xuperweb.com/og6pj/nekIilY/
https://www.openwaterswimli.com/roawk/9qjxjxwea-lruswyx-465183521/
http://www.evextensions.com/wp-content/upgrade/ruyjko/
http://www.diamondegy.com/wp-includes/wuksdgxg9n-pcm-6870/
Creation Time 2019:10:08 16:53:00 (Attachment Only - Doc based - Activation Wizard)
SHA256
cbb1c0fe8eb8c62315dbb98a8928337ac2a0fbd7b5a8fe34276c495c7b4e3bac
4bd47a3fe4b9ed8dd19eefa7e7c2e6f35dc48cb004f8cffd17469185dc63538b
https://www.noblesproperties.com/calendar/FmjmLwf/
http://astrametals.com/wp-content/ewhsu4nj-kxd9cd4z-2535853371/
https://skilmu.com/wp-admin/qQWxrLq/
http://ladariusgreen.com/eb2hb/qx7nvp-cba-24081725/
http://www.virtuoushairline.org/h7vz/NRUGvE/
Creation Time 2019:10:07 16:32:00 (Attachment Only - unknown)
SHA256
a09c02fe7eac9a93e0b67d403ffdf0ce39d24e5f1aeaced29d7c0030035d95e5
a624f2d4a130fab943d60aea67fa267a4002f7eba584513c3f17fbf6145e799e
e805ac98059d49d8e928cc242e38e6d75ab1d2f658d8670a547abec4af1b8563
37c8e34625de1e16090384e7a2aefe70a5c72228b5526388e988a7eda062af79
564ea749c21d8184f1273c13da96ac855ef4d34ee9b4c4c10b03498df5b4a47e
7ef172a6242c7d49f2f013f9b118876e6aab08ea3043fb4d8cce78d9c7e40f97
7c99358a9100df75f9bab44700b907a5d04a1040814d15a221b0490ab5e55eb0
c6faeaaecc0caef3d1e70a88ee3390db1d6992d80676be1266856848f9c746a1
http://maisvisitados.com.br/pedido-online/arm-pn8-90/
http://www.anhjenda.net/rocw8hy/adxa51-5l50l7tfl-923/
http://hometownflooringwf.com/birthday_popup/14sm2euha-9ynnd7-0791/
http://lapakmanis.com/wp-content/KnjtZj/
https://www.copiermatica.com/sox62c/ZTGZhF/
Creation Time 2019:10:08 11:03:00 (Attachment Only - Doc based - Product Notice)
SHA256
d092ea1ded448999687361e02a30cd8060cc8970871302d3ae27aa33a5d1aafc
72702e08e450ec04669ce011a8c94c5dda6690029f6a9e0f4bda95eb30b523ef
caacfce1118ab1d01e3e2b27470d478d7cb24f11ee440da096345e8649bcb9b0
5cd30545f2fe2c32715a66f53e53ec4e9eab131ef0a5510ec03baca0bc113897
8f5dec209c1b35ac62146d7461cf603933d354baa0e337a9a8ed991664fb3648
34beea5d8ab46644a7002cbcb2e4dd9292d9048472c8769b517c306b6bd7eee1
f159fe22161c6ce50576ef49507f950d73d68af8e5dd5d6b1b287e695fe5ec4a
http://toofancom.com.np/wp-admin/UniRvomr/
http://goldindustry.tech/wp-includes/ram2ul0he-5p8w-3956122/
https://rotaract3131.org/wp-admin/kHOUYts/
https://gogogo.id/wwsli/l09zna98-0mcw5s-684431/
https://www.petrousortho.com/wp-content/kixdl16gj-hx62-31/
Creation Time 2019:10:08 06:25:00 (Attachment Only - Doc based - Protected View)
SHA256
5b830f40fa91c4a5d758b1e4ac3ac1f53e52030e6f87cb41b240855bf8d1a0de
e0281d0e78469cb6bc4cb7aa65e2d03270e647a1d31000ad4f0f38ddeeee56ae
ad7d49202a57894b8722f40ab8d1f08cfe1319dae9d25d291ebf12847207e5b8
66d6e4e702bad99756ee00f70b15f0d5d8a48e4e84da55f1536def122afc4a06
5bdc00a98cad2ce7a716d23541c0032f5504398205f68627787d523b68094943
9601ff9783e82b35c9d1270c85a3ea40de9c6094bfc8d40772776bf64b5da62e
659edeee1cf29107bc0fcb9f74c86902fb1f29035f4f2f72f78f661f043e9cbe
0063bc99652c2bebd67f84fd38d1ef31336ede37464a5a00e6f062114a1ad0e8
f734575992b721dd2628a8df8912373ca0fe17e72b698e5f3c1a2e2a735736d6
306689d97a54a67570f2ff225172bfcde4cc3b232bde6ef6f8714607e1917846
https://norbertwaszak.pl/tmp/4atc-8hp2m48nye-47/
https://nguoibeo.info/wp-admin/fr6zuhw8-c7x3edchvw-939375125/
http://www.farmersmarket.qa/eshop/22q8-4cqz7itsj-313/
https://www.myparacord.at/wp-admin/hoqrn61-ivix-8688459/
http://immiagents.co.uk/wp-admin/fib8h7vpqm-3pv2nc-22895734/
Creation Time 2019:10:07 21:56:00 (Attachment Only - Doc based - Product Notice)
SHA256
b8cd4285febf2be2ba385bbcf69b629299aa5a97606edaaaa929c3fd0f30b44f
b2d00e681b29e78f2ec7387bb77040c78109b55ff475b9a0883bb39001bdb822
844f41933b244a53013c52575b5dd1b29f40df434d15ff26c3830eafc2c575aa
369e2614a5288d1af155340d92ac95c8bc42405af0da861b7d7413a0f1451515
15c992538dc03d9d02bac40bc85cf65f2fb3dca2fbb95779f38d83ae1f687877
ca36a62c69a7b65545db0fddd1c5a98ea4c43dd8baba14f8f4166482221f6cb6
70d090bbf43b17e1e34ebdb7e1a6ec08021a1fc56fc2dc755bdeb3ea0472e77a
4ad5049359b145a16d869330f03987655181cbcdbcef0a81618e2f9591c6b788
ac83cc5243edcdd36d11019eddd643da5232be08b5d87a98bbd85a6c1d4e7fb8
e062443063649ca2d9f377843e89448a1f927e7f46e3331cdb5d6a4f58ca3498
c8b915fdc5b9e9a3151f68c0d017de6dea06207c1918af54eafa5f75abb841e7
https://roskillhairandbeauty.co.nz/cgi-bin/DuTLRwv/
https://amiworld.co/wp-admin/yISGyosZ/
https://pharmonline.space/fulnfkk89/phGDtDK/
http://embalagemparadoce.com.br/wp-content/YILCbSs/
http://www.fernandaeberhardt.com.br/cgi-bin/0dt5i43uo-09jzhg9-196884589/
SHA256s for Epoch 3 Payload EXEs
694a164eb59921f83961b5ce41a706ac730d912210eb4c2e1fc77edd2744c175
fb6bba0d6f9cf2158f770451f1fbda37d1b48b5e999f930c4be0184d9d3b35ac
995e6803e886ed5ec0affcf26803bb6cb4157953a2f3f9d43768b7a3430a414d
a7d4e5a49d72ebfe3970d430a9dbeb51e548b8b25dfb8132af6dd2fe33ab36e2
ef69021e812d47672a5e4d551b0f601102c4c5d5b470e3ca875c82fd0f02bb0f
130ab31bff278089bef2ca2b4d45c2f25dc34f564a2e64ce95f2dd040f83a508
C2’s Per Epoch
Epoch 1 C2s
103.31.232.93:443
109.104.79.48:8080
109.169.86.13:8080
113.170.129.113:443
114.79.134.129:443
119.159.150.176:443
119.59.124.163:8080
119.92.51.40:8080
123.168.4.66:22
138.68.106.4:7080
139.5.237.27:443
142.93.82.57:8080
149.62.173.247:8080
151.80.142.33:80
159.203.204.126:8080
170.84.133.72:7080
170.84.133.72:8443
178.249.187.151:8080
178.79.163.131:8080
181.188.149.134:80
181.29.101.13:8080
181.36.42.205:443
182.188.39.68:80
183.82.97.25:80
184.69.214.94:20
185.187.198.10:8080
185.86.148.222:8080
186.0.95.172:80
186.1.41.111:443
186.83.133.253:8080
187.188.166.192:80
189.160.49.234:8443
189.166.68.89:443
190.1.37.125:443
190.10.194.42:8080
190.104.253.234:990
190.158.19.141:80
190.221.50.210:8080
190.230.60.129:80
190.230.60.129:8080
190.38.14.52:80
190.85.152.186:8080
200.51.94.251:143
200.57.102.71:8443
200.58.171.51:80
201.163.74.202:443
201.183.247.58:443
201.184.65.229:80
201.199.93.30:443
203.25.159.3:8080
212.71.237.140:8080
217.199.160.224:8080
46.101.212.195:8080
46.163.144.228:80
46.28.111.142:7080
46.29.183.211:8080
46.41.151.103:8080
5.1.86.195:8080
5.196.35.138:7080
5.77.13.70:80
50.28.51.143:8080
51.15.8.192:8080
62.75.143.100:7080
62.75.160.178:8080
68.169.49.14:7080
68.183.170.114:8080
68.183.190.199:8080
69.162.169.173:8080
71.244.60.230:7080
71.244.60.231:7080
76.69.29.42:80
77.245.101.134:8080
77.55.211.77:8080
78.189.76.2:50000
79.129.0.173:8080
79.143.182.254:8080
80.240.141.141:7080
80.85.87.122:8080
81.169.140.14:443
81.213.215.216:50000
86.42.166.147:80
87.106.77.40:7080
88.250.223.190:8080
89.188.124.145:443
91.205.215.57:7080
91.83.93.124:7080
Epoch 1 - Spam C2s
37.187.5.82:8080
45.55.82.2:8080
185.94.252.27:8080
Epoch 1 - Stealer C2s
75.127.72.18:8080
190.115.18.139:8080
66.228.32.31:443
Current Epoch 1 RSA Public Key
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOzoTryw1r9RxRJPFKalO4+q7JaDZWSB
KZlEc22H6ITuE06tvJspue42TF1yk8xN+1bqW++QeV6Clm1uRswA/qoao/6p4eN0
h4zIO8PEaJ0C/9EO4cx9yfRLlVpjdEkP0QIDAQAB
Epoch 2 C2s
101.187.237.217:20
103.255.150.84:80
103.97.95.218:143
104.131.11.150:8080
104.236.246.93:8080
115.78.95.230:443
124.240.198.66:80
136.243.177.26:8080
138.201.140.110:8080
142.44.162.209:8080
144.139.247.220:80
149.167.86.174:990
149.202.153.252:8080
152.89.236.214:8080
159.65.25.128:8080
169.239.182.217:8080
173.212.203.26:8080
178.254.6.27:7080
178.79.161.166:443
179.32.19.219:22
181.143.194.138:443
181.143.53.227:21
181.31.213.158:8080
182.176.106.43:995
182.176.132.213:8090
182.76.6.2:8080
185.94.252.13:443
186.4.172.5:20
186.4.172.5:443
186.4.172.5:8080
186.75.241.230:80
188.166.253.46:8080
189.209.217.49:80
190.106.97.230:443
190.108.228.48:990
190.145.67.134:8090
190.18.146.70:80
190.186.203.55:80
190.211.207.11:443
190.226.44.20:21
190.228.72.244:53
190.53.135.159:21
192.254.173.31:8080
199.19.237.192:80
200.71.148.138:8080
201.251.43.69:8080
206.189.98.125:8080
211.63.71.72:8080
212.71.234.16:8080
217.145.83.44:80
217.160.182.191:8080
222.214.218.192:8080
24.51.106.145:21
27.147.163.188:8080
27.4.80.183:443
31.12.67.62:7080
31.172.240.91:8080
37.157.194.134:443
41.220.119.246:80
45.123.3.54:443
45.33.49.124:443
45.79.188.67:8080
46.105.131.87:80
47.41.213.2:22
5.196.74.210:8080
62.75.187.192:8080
63.142.253.122:8080
67.225.229.55:8080
78.24.219.147:8080
80.11.163.139:21
80.11.163.139:443
80.79.23.144:443
83.136.245.190:8080
85.104.59.244:20
85.106.1.166:50000
85.54.169.141:8080
86.98.25.30:53
87.106.136.232:8080
87.106.139.101:8080
87.230.19.21:8080
88.156.97.210:80
91.121.116.137:443
91.205.215.66:8080
92.222.216.44:8080
92.233.128.13:143
94.192.225.46:80
94.205.247.10:80
95.128.43.213:8080
Epoch 2 - Spam C2s
46.105.131.69:443
185.187.198.4:8080
46.228.205.245:4143
Epoch 2 - Stealer C2s
209.141.41.136:8080
46.29.183.210:8080
198.58.112.7:443
185.42.221.78:443
Current Epoch 2 RSA Public Key
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhALk+KlHgOKXm9eDkWu2yN9lanjwOm6W2
PV0tgr4msNVby2pOJ6S1MZQnQwxl7y6WWzT4kveAQhLmW8JB2M2PDOxZOgVMJH2C
AtkVW1p/P9jNJWVvjK9SmrbLdIeiKNtRfQIDAQAB
Epoch 3 C2s
101.187.237.217:20
103.255.150.84:80
103.97.95.218:143
104.131.11.150:8080
104.236.246.93:8080
115.78.95.230:443
124.240.198.66:80
136.243.177.26:8080
138.201.140.110:8080
142.44.162.209:8080
144.139.247.220:80
149.167.86.174:990
149.202.153.252:8080
152.89.236.214:8080
159.65.25.128:8080
169.239.182.217:8080
173.212.203.26:8080
178.254.6.27:7080
178.79.161.166:443
179.32.19.219:22
181.143.194.138:443
181.143.53.227:21
181.31.213.158:8080
182.176.106.43:995
182.176.132.213:8090
182.76.6.2:8080
185.94.252.13:443
186.4.172.5:20
186.4.172.5:443
186.4.172.5:8080
186.75.241.230:80
188.166.253.46:8080
189.209.217.49:80
190.106.97.230:443
190.108.228.48:990
190.145.67.134:8090
190.18.146.70:80
190.186.203.55:80
190.211.207.11:443
Epoch 3 - Spam C2s
185.187.198.5
41.185.29.128:8080
Epoch 3 - Stealer C2s
198.46.150.196:7080
178.32.255.133:443
Current Epoch 3 RSA Public Key
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAM426uN11n2LZDk/JiS93WIWG7fGCQmP
4h5yIJUxJwrjwtGVexCelD2WKrDw9sa/xKwmQKk3b2fUhwnHXjoSpR7pLaDo7pEc
iJB5y6hjbPyrSfL3Fxu74M2SAS0Arj3uAQIDAQAB
Credits and Notes Section
WARNING - Some links may have been taken down shortly after I reported them to URLHaus.abuse.ch
because they rock and report everything to ISPs as it is confirmed to be malware. Additionally,
this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
https://pastebin.com/u/jroosen
NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
I am providing them for your benefit in case you want to parse them to be sure.
What is Epoch 1, Epoch 2 and Epoch 3?
(09/17/19)
With the find of Epoch 3 that split from Epoch 1, this section will be rewritten to reflect these changes in time.
Community Lists/Samples
https://twitter.com/dms1899/status/1181415428779847680
https://twitter.com/P3pperP0tts/status/1181489101406691329
https://pastebin.com/YRFuXAYZ - @Paladin3161
feed of module hashes
https://twitter.com/EmotetIndian
(sorry if we miss anybody, make sure to send it to @cryptolaemus1 in your tweet and we will try to include it!)
Credits
Combination work of the Cryptolaemus Team - https://paste.cryptolaemus.com/about/ and/or specifically the following:
Doc DL URLs - @devnullnoop, @p5yb34m, @malware_traffic, @dms1899, @Paladin3161
C2 info/RSA Keys - @devnullnoop, @MalwareTechBlog, @lazyactivist192, @VK_Intel, @Paladin3161
Payloads - @devnullnoop, @MalwareTechBlog, @lazyactivist192, @TheHack3r4chan, @p5yb34m, @malware_traffic, @Paladin3161, @ps66uk, @abuse_ch, Anonymous :)
Spam Templates - @devnullnoop, @lazyactivist192
Special thanks to @lazyactivist192, @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and
helping out with this!
Very special thanks to @Binary_Defense, @lazyactivist192, @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project
https://github.com/decalage2/ViperMonkey, @digitalocean, @mploessel, @anyrun_app, @unixronin, @hurricanelabs, @MalwareTechBlog, @KryptosLogic,
@0xtadavie, @MsftSecIntel, @abuse_ch/urlhaus.abuse.ch, @urlscanio, @BlackLotusLabs, @TrendMicro and @Virustotal for providing services/software
at no charge to this cause!
Daily Log 10/08/19
@jroosen here and I am back and struggling to get back up to speed with all that has changed since I left. @ps66uk and the rest of the
team did a great job filling in and we will hopefully make this more of a tag team effort going forward. Here are some notes from @ps66uk
from earlier: "E2 C2 were not responding this morning (since ~2019/10/07 19:00 UTC) but kickedin around 19:00 today. After an initial DOC
only run, URLs were seen again." In fact, I noticed that there was a transition to links on E2 even before the 19:09 series switched to the
22:16 version. @ps66uk did most of this post and the work on it so thank him. :)
General News
@luca-nagy released the slides from her emotet presentation:
https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Nagy.pdf
Drops Report
Not a lot out there today on this. I assume Trickbot of the gtag: mor* variety but unknown. The amount of Dreambot has been interesting
also. Hope to see more on what people share soon now that I am back in the office.
Email Template Report
I noticed in the past few weeks there has been almost entirely attachment malspam and rarely any links. When we do see links,
we see them on E2 and no other botnets. It is curious why they feel this is a better tactic as anything with a macro attachment is likely
getting blocked in the filter by default. Oh well. Also, I noticed I have been getting malspam finally again but most of it was German
based the past few weeks while I was out. Additionally, I saw some reply chain type emails constantly using the same basis subject with different
senders. Once you see the reply chain type email, you may as well block that subject if you can because I literally got a dozen emails based on
that subject. Again, I don't understand this method but there must be some reason behind it or bug that is causing it to mainly stick to one
chain of emails. I did get a few other reply chain ones but they were usually only a single attempt in contrast.
DOC releases:
E1 ModifyDate: 2019:10:07 21:38:00 CreateDate: 2019:10:07 21:38:00 milanoplaces.com
E2
E3 ModifyDate: 2019:10:07 21:56:00 CreateDate: 2019:10:07 21:56:00 roskillhairandbeauty.co.nz
E1 ModifyDate: 2019:10:08 06:22:00 CreateDate: 2019:10:08 06:22:00 halloweendayquotess.com
E2
E3 ModifyDate: 2019:10:08 06:25:00 CreateDate: 2019:10:08 06:25:00 norbertwaszak.pl
E1 ModifyDate: 2019:10:08 09:55:00 CreateDate: 2019:10:08 09:55:00 retos-enformaherbal.com
E2
E3 ModifyDate: 2019:10:08 11:03:00 CreateDate: 2019:10:08 11:03:00 toofancom.com.np
E1 ModifyDate: 2019:10:08 13:47:00 CreateDate: 2019:10:08 13:47:00 suse-tietjen.com
E2
E3
E1 ModifyDate: 2019:10:08 18:28:00 CreateDate: 2019:10:08 18:28:00 www.denedolls.com
E2 ModifyDate: 2019:10:08 19:09:00 CreateDate: 2019:10:08 19:09:00 1greatrealestatesales.com
E3 ModifyDate: 2019:10:08 16:53:00 CreateDate: 2019:10:08 16:53:00 www.noblesproperties.com
E1 ModifyDate: 2019:10:08 21:38:00 CreateDate: 2019:10:08 21:38:00 www.skullbali.com
E2 ModifyDate: 2019:10:08 22:16:00 CreateDate: 2019:10:08 22:16:00 www.bundlesbyb.com
E3 ModifyDate: 2019:10:08 21:22:00 CreateDate: 2019:10:08 21:22:00 quantumneurology.com
Link Regex Report
Seems like only E2 is doing links. I am going to make some regex tomorrow as it seems like some of the old patterns are there again.
Payloads Report
process list - executable names are built from these based on client characteristics
engine,finish,magnify,resapi,query,skip,wubi,svcs,router,crypto,backup,hans,xcl,con,edition,
wide,loada,themes,syc,pink,tran,khmer,chx,excel,foot,wce,allow,play,publish,fwdr,prep,mspterm,
nop,define,chore,shlp,maker,proc,cap,top,tablet,sizes,without,pen,dasmrc,move,cmp,rebrand,
pixel,after,sms,minimum,umx,cpls,tangent,resw,class,colors,generic,license,mferror,kds,keydef,cable
EXE releases:
E1 - 9 drops between 06:00 and 07:30, 4 drops between 08:30 and 20:15
E2 - 5 drops between 06:00 and 20:15
E3 - 5 drops between 06:00 and 20:15
C2 Report
86 combos on E1
88 combos on E2
39 combos on E3
E2 C2 all went silent 2019:10:07 19:00 UTC, back up ~2019:10:08 19:00 UTC
I found this interesting when it went down and seemed like the back end was dead.
Closing
I am really grateful that the Cryptolaemus guys were able to work on these reports while I was gone. I want to especially thank @ps66uk
for all of his time spent on these. Hopefully everyone is finding them valuable still and remember we are always open to suggestions.
It was nice to have a vacation but now it is time to get back to work, TT. - @JRoosen
Sandbox 10/08/19
E1
https://capesandbox.com/submit/status/2504/
E2
https://capesandbox.com/submit/status/2502/
E3
https://capesandbox.com/submit/status/2500/