Emotet Malware Document links/IOCs for 10/14/19 as of 10/15/19 02:00 EDT
Notes and Credits at the bottom. Follow us on Twitter @cryptolaemus1 for more updates.
Document Downloader Links
Epoch 1 Document/Downloader links
<none>
Epoch 2 Document/Downloader links
http://6-milescoast.vn/wp-content/s7rfibr3s3jbyrl30/
http://abelincolnplumbing.com/sitemap/lph4cp3uhcerg4eyyfuj8wshre/
http://alplastkuchnie.pl/wp-admin/qAwZmwwdEVNlKHZaHKYRdof/
http://amoozeshstore.ir/css/ju23ib8mkvwx9nfvywvhm9gfa3xvgsup/
http://cbdagshai.org/sitebuok/UACPuLDcSixTBVcsnbBnxMjZgGO/
http://decorstyle.ig.com.br/wp-content/languages/cAYciQWuiFGdqx/
http://deepaktech.xyz/wp-admin/owv2o9utn5ybr2w021v42hr/
http://doubscoton.fr/ghana-visa/FAPIgpcXAJZExV/
http://eagleswingsbrasil.com.br/wp-content/cvftbl8h48wcvcxo8tqfi3i/
http://fdni.ir/wp-admin/xcJOXZbVVOXkzXGywrHHPlDOcurfB/
http://gotranslate.co/wp-admin/0qan9gc71sjc51hwn7/
http://industrialautomation.vertscend.in/gbxhlu/RXXCNToKkSXunJagB/
http://jeevandeepayurveda.com/wp-content/fjp09eio1v6fzk1uoc/
http://kaihuai.xyz/wp-admin/b37vn6ao7zk7hw8/
http://lalauwinoise.fr/wp-includes/OzmjVEceMTOYTwlEOevysMitLPPs/
http://learnsleek.com/wp-content/ijUHATFHxEYqStdqqWYOzIgGMub/
http://massivewebtech.com/sitemap/8ea4r1anrxfvdg4te/
http://mododimarmi.co.uk/balloon_lib/5630dcudhqdpepof3hwh6nhwhq1qlkp222/
http://mrig.ro/wp-includes/ufbvyk2mhgbmee6totfxv7vb6b93o/
http://newregionalsmartschool.com/tgpm/kw2iifsv3rqdg4tb/
http://nhuantienthanh.com/wp-admin/jdzl3tlek09vqu07oy4mlp6px7eqe/
http://ntvlaw.vn/wp-admin/wjacatidryjun84ulq3d9dlt7cny/
http://pandajj.jp/mobile/u7uo2wgjrrriurf2813wntl14t/
http://pandasoftwares.com/wp-content/RQcjMMAXnOoYnCOiIOdFwhhRI/
http://phukiennhabepgiare.com/asgypk/sklsdbzy202mcb/
http://propase.de/bia/SdSLXJuUwuNru/
http://raanjitshrestha.com.np/sitemaps/85zcxslcih6cva78kh7tclwt9okmb1o1josb9a/
http://studology.com/zli/mpBanLFRPNom/
http://thebloodhandmovie.com/4f1wvc8cql/aGVSsdeXvA/
http://www.aventuras-picantes.com/wp-snapshots/FthxqcoxgzZWUqXGmYLgQJsIqlLQD/
http://www.picogram.co.kr/fo/wp-content/6p50vmcpqc4rbmlx3axg7gbixvotx9v7h0/
http://www.thebloodhandmovie.com/4f1wvc8cql/aGVSsdeXvA/
https://6-milescoast.vn/wp-content/s7rfibr3s3jbyrl30/
https://berryevent.es/test/aELPvIcOyjzNDQtIXgRlcJFg/
https://doubscoton.fr/ghana-visa/FAPIgpcXAJZExV/
https://eagleswingsbrasil.com.br/wp-content/cvftbl8h48wcvcxo8tqfi3i/
https://gotranslate.co/wp-admin/0qan9gc71sjc51hwn7/
https://iglogistics.in/sitemap/IWsGGmeNX/
https://imtglobals.com/wp-includes/FaaMfPCN/
https://infinite-help.org/blogs/uuw3a2dqi4y4e9lts/
https://jeevandeepayurveda.com/wp-content/fjp09eio1v6fzk1uoc/
https://kore.lk/wp-includes/EgvhkmnRVU/
https://ksiazkitomojacodziennosc.pl/wp-includes/ktvTNpjKvNKIeFdg/
https://merrylu.co.il/wp-includes/wvejvajn61tz9gui/
https://mododimarmi.co.uk/balloon_lib/5630dcudhqdpepof3hwh6nhwhq1qlkp222/
https://norbertwaszak.pl/tmp/NNzfYHoDAXOmfclUEtxocIEJoO/
https://nucleitech.co/cgi-bin/hapllbfq4h2ow26z6pufhxtj/
https://pandasoftwares.com/wp-content/RQcjMMAXnOoYnCOiIOdFwhhRI/
https://primesoftwaresolutions.com/wp-admin/fyt6ycm7c8tz2oq3uzrazxuol30ifhe7/
https://raanjitshrestha.com.np/sitemaps/85zcxslcih6cva78kh7tclwt9okmb1o1josb9a/
https://sarkargar.com/blogs/vHuhpjaWEPVevmMUoLBfkeVyaS/
https://sellkorbo.com/wp-includes/FywTzFQMebzaYU/
https://waresky.com/wp-admin/tWrcMNyDzpAfwnqEGQDevraTE/
https://wecanaccess.com/wp-includes/VtbByXZpxRiM/
https://www.energie-service.fr/wp-includes/lzs1qc7ohyjh4fj7ns2oxgxrjmjr/
https://www.paigeplacements.co.uk/wp-admin/fxZIEjGhIqiNFewKdta/
https://www.talentscoutz.nl/exact_lib/aSUnhzOjlkARZUremYcWP/
Epoch 3 Document/Downloader links
<none>
Payloads per Epoch by Document
Epoch 1 Payloads by Document SHA256 - All Times UTC
Creation Time 2019:10:14 21:43:00 (Attachment Only - Doc based - Office 365 Light Blue)
SHA256:
98e6e1fcfcdcd781dc6a6ee78308caebff2089564750ac7cdec363759f64069d
1aff9b8cd34eb9f94eb1d595f919826dd34484594b1347ed0df0fa4ee69ffded
ea12af3ca9287acb75995ae2f3bd9f015208b73392e485129c7a73ec90cb0071
6562aec794ffea9ec4f8bddde4f20d67c20d04f73c3b8178a3a59a897d2cfb3c
bc3af0beb53c90a6ae67319fa91676ab76a0b833149429c1c40b616610fa5c4b
115024d05c7208312469cb4bbae754d6e883c4ef6f1710a7ae3a2754f01335e5
d69691f4567bd9f036fe6331e8e8823ad4914988c7df0fdc459d7236d0972548
6dcbaf2188565661608649c6ae0e0a5b274add5bd0c1ac2a7fafb3c9d286823f
ef722fab41d2e7a9a3a9fb19840cfd21d4f995573852e12bc60102e0d0f8cf0b
f71129f0c7868ac0ce98560b0ae66c2c7fc749aab2614babe5f1d854f89b10b3
06f1f3ab993e994fe2b14126c50f009854081f55e52e26d5f0e2a325c5c5280f
c559ce796c179fc7eb3bd1b158ae13a49977fc5ba41f3b01fe9f0e74e3cd2816
http://rastreon.com/wp-admin/901/
http://www.offmaxindia.com/wp-includes/smu471/
http://ahenkhaircenter.com/blogs/k8iuno285918/
http://bluem-man.com/wp-content/uploads/2019/10/btrua567818/
https://agusbatik.xyz/wp-includes/5e6252/
Creation Time 2019:10:14 14:00:00 (Attachment Only - Doc based - Activation Wizard)
SHA256:
01229fde004126ba6df17483f9b09d931d2cb8176d1e7ea93429060ad1acd953
821bbf19e0ecadb7bfca5653af68b7621f36056ffeab88439f3f8ded3d4d9e78
6344da18eb94a826503a8fdc8484c6e3d090d64e9b45af94dfb0815cbdf78832
fef332a512d0c08388093254e894647cc0467180ccfed2f62d48935141203fb3
e05140800d32b3a3bb25e4cb9965233eedbc26f3f7b245388e0ba3ff000a684e
9ae7f9cee0f7fe878d1202d43474a2c4b743e885d0cb6bb69fc3ae866c29d51a
833f5ead05a94b8b5a5caf92c435c84c9915353a7e66e82924c4684172cf6c55
a4affe707d20a6ae831e018abf97987cf6cb17b032e137d548344265f7d61e20
d1b64bb432f11c7fb3381db7b69f3e5ef807263fc50c26a5ddf51199b032881e
0dcc8eb548067469f061ed2c8530f0c1700b7269e00a10717f4b32ec07f23751
70740940b8e5ab3572f1e383c3d9471896da25889b8a411a751d7d7e6178b9bd
1c5e88478951954d44d7267b187e20097935571960244751f175dc59e51eabdd
c03a2eca9f700c25e42a378b4858ea9e7f588265330f54499a5e858a6d2b3601
b7ea6f2300ac885f1f5eb15ee6f6d483d836c6a0cb27c7d9e1424847022004aa
279f05b4d38cffa688fe7126a2852e01b5c39b9a992eed4c1f81ec3c22fc07c1
178c41b40d0ecfa10d5a5441b4a1ed1c440b6ba64f9042afb5b0c073cdcab8ec
066141f452bc59cbad7e80ca2de0d905f407a922c94aa22bc85e21977a394ae0
0424b0d25db89ef0323da9a4bbaeab6889efd33390e64f4fb4176653fae49ed3
http://andrewsiceloff.com/wp-admin/cj2d0009/
http://beansmedia.com/zeus16/wp-includes/tubaw5y35/
http://abhidhammasociety.com/wp-snapshots/ih3vzdc9/
http://pcf08.com/wp-content/02447/
http://acquiring-talent.com/dpaj/05gd575/
Creation Time 2019:10:14 06:26:00 (Attachment Only - Doc based - Office 365 Light Blue)
SHA256:
e0aad4bfa80b2319ccc82e57255980fcdf1b2ec97f226e164bece5c89292ac98
22658d77fd5039916ac02479db779439c25e0b522606521493bcb7bf05156efc
07a87371066aab8a4bbfe91b8902a7e7f105d6ac12e06bbec1c2166797257f02
2440413f7987ab520445c2e8c9ee31e727f032ad23d9e0af148727ccc226b492
4af96f2f51c9c90f3aba74d15ac64f03f128e63c21b167902ab123cf0470d396
b22b335375bb18a4a410841873cb9dc67b7576ef6f36ce5401c3195d2a319606
bb441f7bd6348033492fcecfb8134b1f083c9ce231c2b8e08fd66e15a3cac3c2
c03f88ae1e5da27428ba3ea3be82fc837f901c0cdc7a795c2f9399802d773cc1
e1b1419fa89dc0ac9f63ff134e8c3942399a0d9061ae68ba7e8fef7ac1620769
f7434e1b582f41f5bf7ab94526165ca3fb75a28e9027858e89307130129d5cb4
51ed11c8c22dd61a87c19f4e18c926faf61f169083bd07b451370a59f25cca5e
7d0631daed8c62fa643d21a6fa7966829bbeae4fa24d8311f6745d20dddb87aa
e4b94f3779381664253d1f0b536da20ea9b8c2c3d2f29c066b7c830ff9fbcd39
13ee328a94a3dccc2ebc3418fedf2feaba59dd58c5543ae3d35f7f5495e4852d
91c8914a73f4f9822a7764b63bb8aa4791534c8bbf24581dae431c75871a1887
74da0d14b6272caadda205ca00d01fc8b9c27f12a9ef296c38a848326e700eec
8a29a5e93475cbd533260056742186aacbff486a9ec602efe43225a3bef0bbb9
91b7731d0baea45c46e04d0ae90e40911c484a6833b71af1cabcf7dabebfccd9
a19bd9ffd0774cfc6961c9bc12a7927f83880712a888d8c8f14166cacecb699a
5b6cd9d142d1490cfe1cbdb69b6ced76328762769a5dafcbc419486db3d2ef28
fcf52143a611e85d6f76ac31d3574ebf4b0b9e6a65593cbf7bc3e6b273add324
aacaffd95b11bc2adfa5c9ca23deadf0389369e8c0619ce251776f3aee38e249
750b8560c0ed92477d795d9765a816c4530b2facf801d9b270edecdcb5248ab0
7094ace73d2f97f7ddca29ffe4c64a2771d28dfcdedbaa3a6320afc86f80603a
278cd91b9d1b2631d22436891a8ddde52d0baf6f925a22e6f31e29697e9115fb
cd094fc2717295f64cbe858dcaf1be806258d9ae24fc38b21bf51b656c8136f7
5d78217b0e599e1d53787f7ce8ac2fd639b0218819ef22e6a1f9fb66acb52974
8f07a60385a56e9fd6b1eae0da32a77b689a19ca167b481e0bd7af45dcade9d3
033d959d2b20ca148c5c2d492783092ee6ce9ba886a996b4ccfe7c8fb1e9c5c4
http://coastaltherapy.com/wp-includes/chz0u9347/
http://brandsofzambia.com/wp-includes/0qssg3841/
https://buseacycle.com/cgi-bin/gk056/
http://www.bokslink.com/wp-includes/pk97096/
https://www.hollywoodclub.xyz/wp-includes/ua67v3288/
SHA256s for Epoch 1 Payload EXEs
03150e8e65c02b6b7d8475ebf3c8f4bb79290fa56422a87614d236033ee2b48b
bf1b7b86355d25582395bfcf29fbeee255735f1414295f2e762622a77992cfce
7101298b8c908a3df85eb5e911abd19df2577b0205e82d18a62cb159950420bb
90a311f70635ee979eb4d453d7433c25b00631e88e678fc0b25511531452423a
4b28154f980d8fec3b4a0367c107f3966f9358bd27ca20385d3e1422a61bcf67
eba85bb06013b34ddcd137039de98f8839a16e7173cd530601fec1420b1c6f2b
7241c208a1068273eca2d48b01329dd24c028069ee6ba9a0682f340502fdac1b
19ba380dc6cd0bd5138b58bdcf436094783bb552450acf00f3e622c8abd3c037
803a45ac7528778b79aa8eb3121df53ace507a11ec237fc11789bc86b20e58e8
186124390f7320e38060af72b6370e20a6d8407b64f392c34d8e5708d06342e2
00dce1e20b8469aecc0938f2ddec66b813c12dedb50b0b67c3e6a3032c3ca0b0
2a274443136d602107f0572bd62ef67d0b056a7fd007d880e0a4f8277d94dd46
Epoch 2 Payloads by Document SHA256 - All Times UTC
Creation Time 2019:10:14 22:53:00 (Attachment Only - Doc based - Activation Wizard)
SHA256:
53620e1b75287e983e410de49de97d665037b3684d84ce040d4ba8a6481b8f58
36fb67228a8d4b9aa6722d8a8f935a6b98787dc11f436048ec67a9be5b5cbde2
9430e0cd15e3ddfe6566b33b0c52570affed58d1b859dfedcd39d3a76d5d168d
b3d0e41cee035547d96aef38a7238087911795634a2183e561e76d1c1924db8e
1b9cec27e9674373d03393625901fe65ba9fff893327729d2b8a3e6198e2bac9
4c90b077a74cc32600d1979f423d132780919fe912341b0e8f7849eb8efcb96b
25f5c4b163d0c957f4d1a29c7067c5b3af65d849ac9941d482b21f8e0663ae56
http://stn.methodist.org.hk/wp-includes/T8jR1an1/
https://collectables.nojosh.com.au/wp-content/U/
https://elemanbank.com/test/7/
http://ndcgc.org/compview/CO7k5c/
https://myboho.store/generalo/U3DnzUY/
Creation Time 2019-10-14 21:55:00 (Attachment Only - Doc based - Activation Wizard)
SHA256:
65465e0a3fe7e6e272964075299237890df38d972ce142681c8b8750e3f0c416
4dfaf2ee35f6a30e2336ba472d6bef789180ee3b2a334130a45341022e65d3e0
https://voiceacademyusa.com/85rs/cfEfsshfH9/
https://topinarabic.com/oht0878/bz/
https://bestbusinesssoftware.net/img/8Xz/
http://armmonya.com/landingpagemayo/5mth/
http://www.southtrustlaw.com/wp-content/n0wghBtL/
Creation Time 2019:10:14 14:06:00 (Attachment Only - Doc based - Activation Wizard)
SHA256:
e293ac4fd9ae3f24c026134f7e8916b8cd5dbd60052f9fc142b99fc26dff4a34
6806781932608a121e4ecbc70bdb5d52b6e7cf3a8ea7d04a6054564412a1507b
63e1801ee2c4b9fd49980188f100d78efb85c360a5772a4eeafce7eee56c3d9c
8027f994b15a87a2979b7bc3d2859fe870f4e48390f4111a8cb2a5bdec3ade87
e2573050b86260f2cb314e404d4707a0e1c4a55ca6744be8ea208a4bd506b772
fe03ad92a84a4921f451efe03720355bc824ff6ae8adef6db61df37d8f55fc02
b9eace5099f9b21ed788af60fd9c3b3cf9509a3399b9b3544dad335a6db19f42
47743ded84b237578256ff3b47733a5f21a16e6e5e01a3343cfaef68d886012b
e856662ba9743307b0729746e88844935cacc1f126cbd2709c5f10916676ebd5
3a1de6759fc0039067506c5ab0ebd5ad36c0173697eb7471a92ea7f86dc79cd3
2145862aba3d8cc8826acd44d477a75272b352ec7dbcdd8d9c97384a7859aff6
67f4da0d309df5ca4c0c471d66467216c8340344d46e6cb8e89f69b52f420da7
6c99037935694767f5e9184f14b22c663d21fe7ca5d285831443e03481aea304
6b325be6419e72c49b00c5ba558a209c71c6ff7d4eccadc3aeb2bbab0a8278f2
64b77f1692bb7c3b025efe878f74c2ad7b9f26122b5f6337ea9977dd14b17345
9b5efc2d114906c3a4aa5216a643f746e7567bfe68e0189c2c392825f2037245
30f719049a3c0ffa36ce6f8d3c16b59b45cc6b0d8819a7cff3c3f800e826477c
8edb637175120d1ea84fb7c7485289e37fa637b81f17842bfad637d01acc21df
https://filegst.com/wp-admin/Kl/
https://www.merceko.com/wp-content/1ek7/
https://kampusmania.com/wp-content/4f2c8/
https://vps333.com/07h31/1gjy9/
http://nuttlefiberart.com/wp-admin/eIDCaO/
Creation Time 2019:10:14 08:04:00 (Attachment Only - Doc based - Activation Wizard)
SHA256:
aaacb4245b5148a8aebac72aca353c26f6416244245f1133fc970eead5a09263
743cbe14b1ce2c36a33f6047b578814d0971914d4ea19528ccaa9f6587512041
98d55bf21166e777fd12058e82b8a8533516e0393bc76c8b7a5c3543b435d88e
9e1d7cd63b0edcb4b3c4b1c86ecf477245ba82b4291bf26484fe2dd6cd9d12a1
beb93578e6fdbd88ee83913aab8d262d52171d49bb33e1595a675792bf14f7df
b3a4b4a64add212bd94c23dec191bfb2f0d9f03bea4e30784a4b3a7418a75d15
47768d7b832e4b1a88f974b7feb09b8064ac6bc6b518ecf0a8a46170e9c9089b
9b10e585c2cd4b8437f2bb9f585d183ddfa0cf97eb52260a69d8ef470c6468c9
51d5ff4595dd43f58bfd451d1cebe4c70d839c5b378f5624cf8d6107fcd3138f
5313c089b467c74d15a3e25f3276e4bb54646e714b74b47346f95b3dfb05028d
47b62e5bf50472c44ecd7c55259fa5624b3919cd5b7df7ba141d4138de3697fd
d4e4f73d81aee3a5fd62fa44adc8507c75702f34ba1765f37640b8f008ee83d4
88d5157106592f38933c47902588fd3291efd1fdd677cbd859991463f9231f90
62a736710fdeb5a0d6fe03346fc9e71fd9254c3f3e9c1ba3c5f07b43a39abdc9
b874c8afd60d9e34fc10d5b2e99a1e4fc96fd7827e24c7479e9127a88ad30444
http://deredia.com/cgi-bin/SSAnMNgWb8/
http://chuaviemxoangyduc.com/q5jh8d/P/
http://www.bompas.fr.mialias.net/wp/o/
http://www.geoexpert.gr/wp-includes/k6m/
http://rsudsuka.demakkab.go.id/error/av33/
Creation Time 2019:10:14 05:52:00 (URLs - Doc based - Activation Wizard)
SHA256:
ece6cafc7d33ff5c5e1088557d6910bf1ca80076c9c7380f677179ae4c87fe91
c73a32d51b8ff9bef3b5efbccef5c3299ef574c2792788579e3f6f489d197c85
a2b091adb5da4474fce9323b1c130b1292bb2a5b19c8c599f6f29ee74f928e21
ae3bbc6f6fca6185867937591db90f11e3a9c7e75842def8c0804f521057ddc4
7cfb222a4e97e5ec87f4d2c6d0a8913ed3ccae3a3861507c98e78269b724875c
90db1a86fc31835ddde90b668303a4ee1ac0235e0c118a0df7566c67bec85e8c
40bbb3fe88e19da7f1bb228cdac548be3e7cae38cbfdd4854a0c0f2a94de7a3c
f2202d9be7f00d20a9d710d138c691924aa965e87c2760b6ce5b691edb47a0f5
d71b3132e0f94efd3c496494f4d4d52a9617a5e2fe065c696a2df578b67efed7
1ed97850eda185c45b83ae3c95913540e6ce99843f08330ee53528022b489cbb
479b2d71bbc158ca3b6a4483234f031c63607d0a82bf47b6a9fda4ee09af8590
287851d55cc6e6edbc6699ddc667e03264012594d0cd8aa493b14f7f812ad353
df97775b296bfb453612a0168eba8045f2e50f1a7f7ef2215d6c9351b5e988fa
92456f1a9db8890926fcd83f58c9f172ea97b0a01156d1e9a5899b6793ed71b2
48986c0d387f6ddfc7be16cf868ca579dd63640bb6181a93fae20f4ef0ccbcc0
42c71c3ca07f4957ffc521984c302d544ed3b977b67eecda2de6906229f55070
c57c38061c7d2db913a18e151c2065fccb09250b6498f1e026bb0b4e0ce89315
http://tendenciasv.com/wp-admin/1d972a/
http://www.correlation.ca/fonts/FSKrYOc/
http://www.moneyhairparty.com/class.local/parts_service/s4y0/
http://www.divinedollzco.com/wp-content/upgrade/kcbg/
http://dncvietnam.com/wp-includes/4bv4z7u/
SHA256s for Epoch 2 Payload EXEs
18235ac8c4482d9c0ca96be91ed18cbc601fa793f03d1820d8ffe492d6ff42ec
f80d1675a57f1bd13e2a39ea36614457cf67ba0dcd855f5eff60984f56db0c12
a33353b8af41a2c8c526cf73db3a091e48056c4b5e4e0c1ec13f416bde627754
7bdd1409b080eb8510163cea3761d694be0eaec7e22bc44736cbfbc3025a310b
4a1d45b5fbe5029805fcd500f8c2f8ee68b04a2b376b5a2e92d665fb6abe421c
141bf6620706cf5c4ee1ceeed26f238399fb1a9e2e9276bdf163f8d4792f0f1f
078f898a197b903c5825119f4d6f47f12552a93f471d1ca9a203f9b313e8da04
6231c216cefa2b2a468ed366dc3c79dc6f0be1d28f2811f8a3ee7627e071b4a1
a4532a333319600efa847ac6b63b58e855838df70063ceeb58d605f81d223922
Epoch 3 Payloads by Document SHA256 - All Times UTC
Creation Time 2019-10-14 21:18:00 (Attachment Only - Doc based - Protected View)
SHA256:
b736c4a412b303fd853a53f42b6e79efb4980b126731f1570f9c604bc7c8a76f
efcb946a760e6a3d26b520206a6fb4e78f1be826525eedea234fa15564ac4eb4
d4687b8be48f9149f0b47b86bf7a04b5bb3c3c537fe0f80bb719d2db8f27b618
https://bulby.pl/wp-includes/qBzhlPwzp/
https://radiokameleon.ba/wp-includes/cvsky29-prh8p1-157/
http://cc14927-wordpress.tw1.ru/sitemap/p3oyypjxz-0a64sp-1997516/
http://smilesanitations.com/calendar/ZmLeHr/
http://greenseeblickhotel.com/wp-admin/ZuvFbm/
Creation Time 2019-10-14 19:00:00 (Attachment Only - Doc based - Product Notice)
SHA256:
a0a3c98ab38bfa6e739ec9a7aea6e80c85df17e2185d4ab5656aea0b04ee56c4
5fd76eadfce3d67e09ae1d239565a7122398ce62d9f1eec700683b9b491594d8
d941f0ef8f88684073db4c7c42d70e07b8cfcfbce4c6cb44dccf8d5770aba8c1
f5115574fb3307957692fd9fa1c519b553f48e23a444b119b7316b6aa596903c
http://tour.nicestore.co.kr/wp-content/kCEtESh/
http://4carisma.com/emailblasttest/uOrzSi/
https://staging.smsmagica.com/wp-content/fbzkgca-ax2qpb-051/
http://www.alphadomus.co.nz/widgets/kv8sd5y/CVghpHSg/
https://imm2h.my/cgi-bin/AwkVtxRys/
Creation Time 2019:10:14 14:12:00 (Attachment Only - Doc based - Activation Wizard)
SHA256:
1dee09b40f84fedce8227e251073f269971a16e39e75af46c3658f0802c828f3
02637a928a1357211f2aa024dea577c20facd413ab3fc38d63aff28a244f8942
9c737f17d9ac55e290f8c6166fec9ddd812eef3ff9e846fbaf9205dd93ff5570
4911743db8475a1f84e3433b32947f561bc6d9aa877357f753081e8b4adfd617
743839dc9bd260d177aa80127c1004b26b979c809ce86abf6fa40f2d41f6354c
e8c7bb58ef823d08eb194fb1fedb0bfb208a2243f964187b2fd4605cdd473f9b
3b2fe8d9f982bb6ebb3daf8a0ee1025c70e739d2c81ee8c7166387ed5e495574
29a608717722de33cd8c30dbe63a278d9ddbee3a7d3d4683f66df5b469a45137
e264ae6197e494f76996920dd014893569ce52b0c59b33c5b05ebe7ee56bb0aa
https://shreeumiyagroup.com/cgi-bin/ib5et-43gf-415252037/
https://electrokav.com/wp-content/JKJEKOXEZ/
http://amitnawani.com/wp-content/xMGvEIgX/
https://janekvaltin.com/ubpos/x4at35ypd3-ylzvfos-017391080/
https://duperadz.com/wp-includes/YzdCIlU/
Creation Time 2019:10:14 06:34:00 (Attachment Only - Doc based - Activation Wizard)
SHA256:
0fd6a365a2d09c09849e41d21fc1cc9f6772fecb3e84d18ebe4bc27f4c17c4b9
e3456221e5332e6179fccb616e43aae746a7754f8b2648722c6650cb0cf51e44
a42446ed70bd4f68d6b40e0778dc63abf2c5a0990d16320c455e0663c0edf58d
daf97cac595f41a4b47302c6fa18fd67ccecb5cb7bae4038f888e75600116353
32f63e43025bec0ab84d29606245f390e5540cfce5f7f419c07aea437143ec4b
b87b20f4d500add0436edac27734ce0c609d10379beda7ffb02f705ab8ee13c2
2b749588aa3523e9644d17fe2bf784136c663d893186acb91cba6db46f76077f
dc09e23329319098cdc638d024b525e1607a120794b0056ca55aefcd09498c96
d950ccbe9ff2214b1d3c97b5f349a6aa1a0edb5223a5fb9a785ec95f0b505f44
d39a6a1d0951def6197cfe68fefec82c9cb08e7cc0c24b8b30fd132c4e62c830
418ddce03eae7264ec5dbb8288fd6dcae6e0f655f30ad96147df6920d2d0337e
bdeb9cfdc8fa093d0801cfd7dc03b3de8133c502e9c93e83917c7a4e79db10fb
39713c39c938ba2f28025c5e1d02826985e3967edf79cd8ca1bd989c816bd744
4f31de253eae084511f793b019fe32cea798953adf38e73c00de8ebcba78b113
609c04e060ff983b5ac38b03f2931629fa2af411a284503966fae46980dd31fd
6088fef0ba3079e5fe8a1fbb8f266de203a4ca065fc1ca3868536ccc37d69e4f
449c00a2fee32d17f30e14d0138f2b5e3cb7d269c0f5f200875ef7d6ab65e893
bdefb45ba3f52e28044c332452111de6238fdf5bacfd02850a49b0b8cb1885c6
69fc66a5d03a564ad445bf91235d9134a1b9f61544f9373b2839af65dcb4d659
79c1ce11d724cde41d6003f7a70e296e781249d95ab34949b77d72f25eed0612
89fc4f5028d780923b7d20846ea8bff55c93bb68dccf1cc8b1f7cd87eec0726f
bc332d26f3170ad635237b6c65cda8de6315f77ef68d32547267104d6d958ba6
a9ab016ccaf853bde09b7ef4af37fdfe991d55924bb7762ac587e0789f2f586e
6b6ae5fa4e8db2885801ae4ba3c9e5f3af88f8bb8252e2c70fc8cb9caca59628
0aedb6ed1158d94c065e72b403d86d09fc4e701f86e6f25f599735241ee691a4
http://sgnr.in/dietitiansakshi/a4deno3w-7ke7y2-706370412/
http://pedrootavio.top/cgi-bin/9iale-ca6dtr6gk-56151762/
https://j-cta.org/wp-admin/LgboYIm/
https://thehomebenefitprogram.com/wp-includes/HrciCN/
https://adanzyeyapi.com/wp-includes/4v0p-t1e6s6m6-098/
Creation Time 2019:10:11 18:58:00 (Attachment Only - Doc based - Activation Wizard)
SHA256:
8ad4219d6ad69b1f42d1be3af394cba0fd2f824c1a99e9e19ff19afb4fc1fbb6
https://sabal.com/wp-admin/fQZAoTt/
http://www.spectradubai.com/cgi-bin/SPYhlL/
http://tendenciasv.com/wp-admin/tbj3o8-lrayg3nw48-6757766/
http://institutobiodelta.com.br/wp-content/kg34rqzas-1esvd9avn-4822/
http://echoxc.com/wp-content/dZPTRTmS/
SHA256s for Epoch 3 Payload EXEs
bd16d173440debec2eb2c8a056584edf4a7a32d2a42bf73b8e4a59f364ec6710
3eecb70a724f130e93f0d9e64b374864c4fadd76ba4b2977ad6dead44a6d2f53
d26610e4560edbdcba6d4c93f9e9ded03103c036033838ef09c11daea9e305ca
10b43555bdddeba125afd25463be6ae1d30fd6b822f2cebc09fddd894f501744
48bcd0ae01752f80eb96c86850c837b19e68bfc72ac316a7c3378e2320f39022
507f386cda99a321f7c5c3b88e91532e154fc98d177904086710bdd73810c2c7
C2’s Per Epoch
Epoch 1 C2s
109.104.79.48:8080
109.169.86.13:8080
110.36.234.146:80
114.79.134.129:443
119.159.150.176:443
119.59.124.163:8080
119.92.51.40:8080
123.168.4.66:22
125.99.61.162:7080
138.68.106.4:7080
139.5.237.27:443
142.93.82.57:8080
149.62.173.247:8080
151.80.142.33:80
159.203.204.126:8080
170.84.133.72:7080
170.84.133.72:8443
178.249.187.151:8080
178.79.163.131:8080
181.143.101.18:8080
181.188.149.134:80
181.29.101.13:8080
181.36.42.205:443
181.44.166.242:80
183.82.97.25:80
184.69.214.94:20
185.187.198.10:8080
185.86.148.222:8080
186.0.95.172:80
186.1.41.111:443
187.188.166.192:80
189.160.49.234:8443
189.166.68.89:443
189.180.243.255:8080
190.1.37.125:443
190.10.194.42:8080
190.104.253.234:990
190.158.19.141:80
190.221.50.210:8080
190.230.60.129:80
190.230.60.129:8080
190.38.14.52:80
190.85.152.186:8080
190.97.30.167:990
191.82.16.60:80
200.51.94.251:143
200.57.102.71:8443
200.58.171.51:80
201.163.74.202:443
201.199.93.30:443
203.25.159.3:8080
212.71.237.140:8080
216.98.148.181:8080
217.199.160.224:8080
46.101.212.195:8080
46.163.144.228:80
46.28.111.142:7080
46.29.183.211:8080
46.41.151.103:8080
5.1.86.195:8080
5.196.35.138:7080
5.77.13.70:80
50.28.51.143:8080
51.15.8.192:8080
62.75.143.100:7080
62.75.160.178:8080
68.183.170.114:8080
68.183.190.199:8080
71.244.60.230:7080
71.244.60.231:7080
76.69.29.42:80
77.245.101.134:8080
77.55.211.77:8080
79.129.0.173:8080
79.143.182.254:8080
80.85.87.122:8080
81.169.140.14:443
82.196.15.205:8080
86.42.166.147:80
87.106.77.40:7080
88.250.223.190:8080
89.188.124.145:443
91.205.215.57:7080
91.83.93.105:8080
91.83.93.124:7080
94.183.71.206:7080
Epoch 1 - Spam C2s
37.187.5.82:8080
45.55.82.2:8080
185.94.252.27:8080
Epoch 1 - Stealer C2s
75.127.72.18:8080
190.115.18.139:8080
66.228.32.31:443
Current Epoch 1 RSA Public Key
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOzoTryw1r9RxRJPFKalO4+q7JaDZWSB
KZlEc22H6ITuE06tvJspue42TF1yk8xN+1bqW++QeV6Clm1uRswA/qoao/6p4eN0
h4zIO8PEaJ0C/9EO4cx9yfRLlVpjdEkP0QIDAQAB
Epoch 2 C2s
101.187.237.217:20
104.131.11.150:8080
104.131.44.150:8080
104.236.246.93:8080
115.78.95.230:443
124.240.198.66:80
133.167.80.63:7080
136.243.177.26:8080
138.201.140.110:8080
144.139.247.220:80
149.202.153.252:8080
152.89.236.214:8080
159.65.25.128:8080
167.71.10.37:8080
169.239.182.217:8080
173.212.203.26:8080
178.79.161.166:443
181.143.194.138:443
181.143.53.227:21
181.31.213.158:8080
182.176.106.43:995
182.176.132.213:8090
182.76.6.2:8080
185.187.198.15:80
185.94.252.13:443
186.75.241.230:80
189.209.217.49:80
190.106.97.230:443
190.108.228.48:990
190.145.67.134:8090
190.18.146.70:80
190.211.207.11:443
190.226.44.20:21
190.228.72.244:53
190.53.135.159:21
192.254.173.31:8080
192.81.213.192:8080
198.199.114.69:8080
199.255.156.210:8080
200.71.148.138:8080
201.184.105.242:443
201.251.43.69:8080
206.189.98.125:8080
211.63.71.72:8080
212.71.234.16:8080
217.160.182.191:8080
222.214.218.192:8080
24.45.195.162:7080
24.45.195.162:8443
27.147.163.188:8080
27.4.80.183:443
31.12.67.62:7080
31.172.240.91:8080
37.157.194.134:443
41.220.119.246:80
45.33.49.124:443
46.105.131.87:80
47.41.213.2:22
5.196.74.210:8080
59.103.164.174:80
62.75.187.192:8080
67.225.229.55:8080
78.24.219.147:8080
80.11.163.139:21
80.11.163.139:443
85.104.59.244:20
85.106.1.166:50000
85.54.169.141:8080
86.98.25.30:53
87.106.136.232:8080
87.106.139.101:8080
87.230.19.21:8080
91.205.215.66:8080
92.222.216.44:8080
92.233.128.13:143
94.192.225.46:80
94.205.247.10:80
95.128.43.213:8080
Epoch 2 - Spam C2s
23.253.207.142:8080
185.187.198.4:8080
46.228.205.245:4143
Epoch 2 - Stealer C2s
173.214.174.107:443
104.131.58.132:8080
176.31.200.130:8080
46.105.131.69:443
24.45.195.162:7080
24.45.195.162:8443
80.11.163.139:443
94.192.225.46:80
209.141.41.136:8080
46.29.183.210:8080
198.58.112.7:443
185.42.221.78:443
Current Epoch 2 RSA Public Key
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhALk+KlHgOKXm9eDkWu2yN9lanjwOm6W2
PV0tgr4msNVby2pOJ6S1MZQnQwxl7y6WWzT4kveAQhLmW8JB2M2PDOxZOgVMJH2C
AtkVW1p/P9jNJWVvjK9SmrbLdIeiKNtRfQIDAQAB
Epoch 3 C2s
113.52.135.33:7080
138.197.140.163:8080
143.95.101.72:8080
144.76.62.10:8080
157.7.164.178:8081
173.249.157.58:8080
176.58.93.123:80
178.249.187.150:7080
181.113.229.139:990
181.47.235.26:993
186.10.16.244:53
190.117.206.153:443
190.13.146.47:443
192.241.220.183:8080
200.55.168.82:20
201.196.15.79:990
203.99.182.135:443
203.99.187.137:443
203.99.188.203:990
212.112.113.235:80
213.138.100.98:8080
216.70.88.55:8080
216.75.37.196:8080
5.189.148.98:8080
51.38.134.203:8080
70.32.94.58:8080
78.109.34.178:443
83.169.33.157:8080
91.109.5.28:8080
93.78.205.196:443
94.177.253.126:80
95.216.207.86:7080
Epoch 3 - Spam C2s
192.241.241.221:443
185.187.198.5:8080
41.185.29.128:8080
Epoch 3 - Stealer C2s
178.32.255.133:443
198.46.150.196:7080
Current Epoch 3 RSA Public Key
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAM426uN11n2LZDk/JiS93WIWG7fGCQmP
4h5yIJUxJwrjwtGVexCelD2WKrDw9sa/xKwmQKk3b2fUhwnHXjoSpR7pLaDo7pEc
iJB5y6hjbPyrSfL3Fxu74M2SAS0Arj3uAQIDAQAB
Credits and Notes Section
WARNING - Some links may have been taken down shortly after I reported them to URLHaus.abuse.ch
because they rock and report everything to ISPs as it is confirmed to be malware. Additionally,
this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
https://pastebin.com/u/jroosen
NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
I am providing them for your benefit in case you want to parse them to be sure.
What is Epoch 1, Epoch 2 and Epoch 3?
(09/17/19)
With the find of Epoch 3 that split from Epoch 1, this section will be rewritten to reflect these changes in time.
Community Lists/Samples
https://pastebin.com/NBrrVSpT - @excutemalware
https://otx.alienvault.com/pulse/5da4cfc209cc7632c784efcc - @SecSome
https://twitter.com/reecdeep/status/1183685203363090432
https://pastebin.com/2xSMEALG
https://twitter.com/Paladin3161/status/1183584219903053825
https://pastebin.com/CMvn0vkB
https://twitter.com/Paladin3161/status/1183584028751843328
https://pastebin.com/xcp7ZWhb
https://twitter.com/Paladin3161/status/1183723826787389441
https://pastebin.com/5SVWPPpb
(sorry if we miss anybody, make sure to send it to @cryptolaemus1 in your tweet and we will try to include it!)
Credits
Combination work of the Cryptolaemus Team - https://paste.cryptolaemus.com/about/ and/or specifically the following:
Doc DL URLs - @devnullnoop, @p5yb34m, @malware_traffic, @dms1899, @Paladin3161
C2 info/RSA Keys - @CapeSandbox, @devnullnoop, @MalwareTechBlog, @lazyactivist192, @VK_Intel, @Paladin3161
Payloads - @devnullnoop, @MalwareTechBlog, @lazyactivist192, @TheHack3r4chan, @p5yb34m, @malware_traffic, @Paladin3161, @ps66uk, Anonymous :)
Spam Templates - @devnullnoop, @lazyactivist192
Special thanks to @lazyactivist192, @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and
helping out with this!
Very special thanks to @Binary_Defense, @lazyactivist192, @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project
https://github.com/decalage2/ViperMonkey, @digitalocean, @mploessel, @anyrun_app, @unixronin, @hurricanelabs, @MalwareTechBlog, @KryptosLogic,
@0xtadavie, @MsftSecIntel, @abuse_ch/urlhaus.abuse.ch, @urlscanio, @BlackLotusLabs, @TrendMicro and @Virustotal for providing services/software
at no charge to this cause!
Daily Log 10/14/19
@ps66uk and @jroosen here:
Getting out some bugs in our processes to get more streamlined. I wanted to take a second to thank everyone that helps us make this happen.
Thank you for your time, your effort and even just answering a simple question here and there. All of the work of the community goes together
to solve a bigger puzzle!
It is late tonight and I will fill more in tomorrow. - @jroosen
General News
Marco Ramilli found what seems to be highly targeted malspam against a business that happened to use a remote SOC. We are not
sure this was more than a reply chain spam that happened to get lucky(or use some intelligence for once) to select the right
email to use to reply. We have reached out to the author for more info though to be sure our suspicions are correct.
Original Article:
https://securityaffairs.co/wordpress/92501/malware/emotet-gang-targetes-external-soc.html
Herbie Zimmerman shared a handy way to get out the payload URLs from the latest series of docs here in his tweet:
https://twitter.com/HerbieZimmerman/status/1183853997846941698
Brad over @malware_traffic tweeted about a Trickbot gtag: mor21 followup to an initial Emotet E1 Infection here:
https://twitter.com/malware_traffic/status/1183773041177743360
Drops Report
D00RT was once again reporting on what was dropping where:
emotet/trickbot - JP
https://twitter.com/D00RT_RM/status/1183663002698027008
Brad over @malware_traffic tweeted about a Trickbot gtag: mor21 followup to an initial Emotet E1 Infection here:
https://twitter.com/malware_traffic/status/1183773041177743360
We also observed Trickbot gtag: mor21 dropping all over the globe today.
Email Template Report
We are still seeing strong spamming globally in various languages. Reply chains and generic malspam. I am continuing to
see a steady increase in attachment malspam as the botnets build in strength.
I do not know what to make of the reasonably random distro of templates. Not sure why things vary like they do during the
day but this chart that @ps66uk put together is interesting to watch how things fall into place on:
E1 ModifyDate: 2019:10:14 06:26:00 CreateDate: 2019:10:14 06:26:00 coastaltherapy.com office 365 lt blue
E2 ModifyDate: 2019:10:14 05:52:00 CreateDate: 2019:10:14 05:52:00 tendenciasv.com wizard
E3 ModifyDate: 2019:10:14 06:34:00 CreateDate: 2019:10:14 06:34:00 sgnr.in wizard
E1
E2 ModifyDate: 2019:10:14 08:04:00 CreateDate: 2019:10:14 08:04:00 deredia.com wizard
E3
E1 ModifyDate: 2019:10:14 14:00:00 CreateDate: 2019:10:14 14:00:00 andrewsiceloff.com wizard
E2 ModifyDate: 2019:10:14 14:06:00 CreateDate: 2019:10:14 14:06:00 filegst.com wizard
E3 ModifyDate: 2019:10:14 14:12:00 CreateDate: 2019:10:14 14:12:00 shreeumiyagroup.com wizard
E1 ModifyDate: 2019:10:14 21:43:00 CreateDate: 2019:10:14 21:43:00 rastreon.com office 365 lt blue
E2 ModifyDate: 2019:10:14 21:55:00 CreateDate: 2019:10:14 21:55:00 voiceacademyusa.com wizard
E3 ModifyDate: 2019:10:14 19:00:00 CreateDate: 2019:10:14 19:00:00 tour.nicestore.co.kr product notice
E1
E2 ModifyDate: 2019:10:14 22:53:00 CreateDate: 2019:10:14 22:53:00 stn.methodist.org.hk wizard
E3 ModifyDate: 2019:10:14 21:18:00 CreateDate: 2019:10:14 21:18:00 bulby.pl activation
Link Regex Report
(These are experimental, use at your own risk.)
Looks like only E2 is doing links now and it seems to be some of the old Regex. Here is what works lately:
These were updated:
https?:\/\/.+?\/(administrator|academy|alphabet|App_Data|assets|backup|beta|blogs|cache|cgi-bin|checkformats|cfm|consultation|core|css|DANE|Dane|demo|discuss_lib|direc|Document|DOC|Dok|DOK|esp|FILE|function.cheese|gallery|GoogleSpeech|hino|homepage|images|INC|Inf|INF|js|lib|LLC|lm|menusa|paclm|Pages|parts_service|phpmyadmin|Plik|popup_index|public|Scan|sites|sitemap|sox62c|SOUBORY|test|trademark|themes|tmp|uploads|wc-logs|webalizer|wordpress|WP2|wp-admin|wp-content|wp-Enfold|wp-includes)\/([A-Za-z0-9|]{7,36})\/(\"|\n)
https?:\/\/.+?\/([0-9a-z\-_]{3,11})\/([A-Z0-9\/]{7,32})?([A-Za-z]{7,32})\/(\"|\n)
These were not:
https?:\/\/.+?\/([A-Za-z0-9]{8,30})_([a-z0-9]{5,10})-([0-9]{8,15})\/
https?:\/\/.+?\/(Document|DOC|FILE|INC|LLC|Scan)\/([a-zA-Z0-9]{4,30})\/
Also keep in mind, your filter needs to look inside PDF files to find the URI to test against these above. Otherwise
this does not help.
Payloads Report
Something seemed to stop up the pipeline today at the Emotet malware factory around 15:00UTC. I am not sure exactly what
happened but we only saw 5-8 hash busts on each epoch. Some of them had a lot of corrupted downloads of late. This may mean
C2 issues.
There was a newer loader released today around 21:00UTC that is smaller than 200KB but I am not sure what the changes are yet.
If @lazyactivist192 has time he may be able to see what he can find out tomorrow.
C2 Report
E1 86
E2 78
E3 32
110.36.234.146:80 moved from E3 to E1 - while this is quite rare, we have seen it happen before. Out of all the C2s, this
happens maybe handful times a month for unknown reasons.
Closing
Looks like there may be some distro/c2 problems in Emotet land. It could also be harbinger of change too.
Be on the lookout!
TT
Sandbox 10/14/19
E1
https://capesandbox.com/analysis/2997/
E2
https://capesandbox.com/analysis/2995/
E3
https://capesandbox.com/analysis/2996/