Daily Emotet IoCs and Notes for 10/15/19

Emotet Malware Document links/IOCs for 10/15/19 as of 10/16/19 01:00 EDT

Notes and Credits at the bottom. Follow us on Twitter @cryptolaemus1 for more updates.

http://adonis-negar.com/wp-admin/Amazon/En/Orders_details/2019-10/
http://antsmontessori.in/wp-admin/Amazon/EN/Transaction_details/102019/
http://avis.life/thumbnails/Amazon/En/Transactions/2019-10/
http://domainresearch.site/wp-admin/AMAZON/Clients_transactions/102019/
http://doypack.net.pl/wp-content/Amazon/En/Information/102019/
http://dtj.com.vn/wp-content/Amazon/En/Transactions-details/10_19/
http://gebrauchtwohnwagen24.de/wp-content/Amazon/En/Details/2019-10/
http://i5t.ir/wp-admin/Amazon/Clients_Messages/2019-10/
http://internetordbogen.dk/cgi-bin/Amazon/En/Clients_transactions/102019/
http://iranmadan.com/rdwfl/Amazon/Clients_Messages/10_19/
http://kursy-bhp-sieradz.pl/pub/Amazon/EN/Transaction_details/102019/
http://minemoore.com/wp-admin/AMAZON/Details/102019/
http://noithat168.vn/assets/Amazon/En/Clients_Messages/102019/
http://sextruyen.com/wp-content/Amazon/EN/Messages/2019-10/
http://sgnr.in/dietitiansakshi/Amazon/Transactions/102019/
http://sozvezdie.sgu.ru/wp-content/Amazon/Clients_information/10_19/
http://test2.hunterxx.com/wp-includes/Amazon/En/Orders-details/2019-10/
http://theamericanaboriginal.com/class.popular/Amazon/En/Attachments/102019/
http://tomasoni.ind.br/dashboard/Amazon/En/Transactions-details/10_19/
http://trungtamdayhocthaonguyen.edu.vn/cgialfa/Amazon/En/Transactions-details/102019/
http://unitedctc.com/wp-includes/Amazon/En/Clients_information/2019-10/
http://usad.sytes.net/usad/AMAZON/Details/102019/
http://vls-online.de/ab2ffb56648fc08f89197ae37a33a579/Amazon/EN/Payments/102019/
http://weidling.com.bo/CatalogoWeidling/Amazon/En/Clients_information/102019/
http://www.mobileheadlines.mobi/wp-content/Amazon/Payments/2019-10/
https://ai.forcast.cl/wp-content/plugins/Amazon/Clients_Messages/2019-10/
https://aideah.com/address/Amazon/Orders_details/10_19/
https://aideah.com/address/AMAZON/Payments/10_19/
https://buykaa.com/wp-admin/Amazon/Orders-details/10_19/
https://dakotv.online/wp-admin/Amazon/En/Payments_details/2019-10/
https://dibarcellona.it/tropcj8kfd/Amazon/EN/Transactions/102019/
https://diezeitinsel.de/wp-admin/Amazon/Clients_transactions/2019-10/
https://domainresearch.site/wp-admin/AMAZON/Clients_transactions/102019/
https://drovus.com/wp-content/Amazon/Clients/10_19/
https://ecotech.wegostation.com/yf92/Amazon/EN/Details/2019-10/
https://fundeartescolombia.org/wp-includes/Amazon/Information/10_19/
https://ghpctech.co.za/cgi-bin/AMAZON/Information/102019/
https://happyfava.com/Fb/Amazon/Details/102019/
https://i5t.ir/wp-admin/Amazon/Clients_Messages/2019-10/
https://jailaxmidigi.com/y0k0/Amazon/EN/Transactions/2019-10/
https://mundonovo.ms.gov.br/v2/Amazon/EN/Attachments/102019/
https://phamthaifood.com/4ib60l/Amazon/Orders-details/10_19/
https://taxisieradz.pl/wp-includes/Amazon/Transactions/102019/
https://womenslifestyle.co.za/wp-admin/Amazon/Attachments/10_19/
https://www.mundonovo.ms.gov.br/v2/Amazon/EN/Attachments/102019/
https://www.mxsii.com/wp-content/Amazon/En/Payments/2019-10/
https://yubantu.com/wp-includes/Amazon/Information/2019-10/
https://zin.com.vn/wp-includes/Amazon/En/Orders_details/10_19/
http://13.56.215.142/kqb/assets/uploads/banner/tFrFhrZlYxpyvwnghTEJGbB/
http://6-milescoast.vn/wp-content/s7rfibr3s3jbyrl30/
http://abelincolnplumbing.com/sitemap/lph4cp3uhcerg4eyyfuj8wshre/
http://computerservicecenter.it/wp-content/ggl5odmqj8118aclyyjygf0mbkhcts1/
http://decorstyle.ig.com.br/wp-content/languages/cAYciQWuiFGdqx/
http://doubscoton.fr/ghana-visa/fapigpcxajzexv/
http://echoxc.com/wp-content/ezz1hnj7vlk41ai5i28pkqb8eironillckl4e6/
http://ftk.unsada.ac.id/u8uu/ru046mehrv3m1x6ufa4iblgokynts0eyfc38eo/
http://homeconcept.rs/cgi-bin/kf5is9fl37n0lo7ddczwx2oxd/
http://infinite-help.org/blogs/uuw3a2dqi4y4e9lts/
http://lamme.edu.vn/wp-admin/lbc0mscsps2f6c46rml4auf/
http://mododimarmi.co.uk/balloon_lib/5630dcudhqdpepof3hwh6nhwhq1qlkp222/
http://naytigida.ru/wp-content/5f99r985ssptpqgzmzl8vl/
http://nucleitech.co/cgi-bin/hapllbfq4h2ow26z6pufhxtj/
http://pandajj.jp/mobile/u7uo2wgjrrriurf2813wntl14t/
http://phukiennhabepgiare.com/asgypk/sklsdbzy202mcb/
http://practic.eu/wp-admin/hzzfehgkucdyy5u6/
http://propase.de/bia/SdSLXJuUwuNru/
http://quangcaogiaodich.com/wp-content/upgrade/xgzh62p8cavq8mkb/
http://raanjitshrestha.com.np/sitemaps/85zcxslcih6cva78kh7tclwt9okmb1o1josb9a/
http://ristrutturaitalia.com/softaculous/3howjjtxeekvig9ojttljcas3qprev/
http://vencury.com/wp-includes/bypz06s0cpojqzdhq2h386dd018n4k633/
http://www.alertaempresarial.com.br/wp-content/eksyeGiDnKFgyVFYWCD/
http://www.computerservicecenter.it/wp-content/ggl5odmqj8118aclyyjygf0mbkhcts1/
http://www.thebloodhandmovie.com/4f1wvc8cql/aGVSsdeXvA/
http://www.uk-scholars.co.uk/tmp/JUfUimFF/
https://6-milescoast.vn/wp-content/s7rfibr3s3jbyrl30/
https://afghanbazarrugs.com/txj/papkaa17/re_honey/BNKakubLkcGukSpqU/
https://eagleswingsbrasil.com.br/wp-content/cvftbl8h48wcvcxo8tqfi3i/
https://homeconcept.rs/cgi-bin/kf5is9fl37n0lo7ddczwx2oxd/
https://integralmakeup.com/blogs/5epbb5lije9k5lkyp/
https://mimaarifsumbersariunggul.com/tipskeluar.ga/0n8wfvk3ymnb946y4gbsnre6p/
https://mododimarmi.co.uk/balloon_lib/5630dcudhqdpepof3hwh6nhwhq1qlkp222/
https://naytigida.ru/wp-content/5f99r985ssptpqgzmzl8vl/
https://nucleitech.co/cgi-bin/hapllbfq4h2ow26z6pufhxtj/
https://practic.eu/wp-admin/hzzfehgkucdyy5u6/
https://raanjitshrestha.com.np/sitemaps/85zcxslcih6cva78kh7tclwt9okmb1o1josb9a/
https://wolfoxcorp.com/wp-admin/rpwkkRpA/
https://www.openwaterswimli.com/roawk/uojyabzmujpk8xj01v2vdpsck/

<none>

Payloads per Epoch by Document

Epoch 1 Payloads by Document SHA256 - All Times UTC


Creation Time	2019-10-15 20:27:00 (Attachment Only - Doc based - Office 365 Light Blue)
SHA256:
1272407a4f539ba89289b4f9a5f3f21e2b93175754ec2ede5f4293defccec426
690501aa83c490c2d1a3e67656fb989315bcc36c7141aa218712f96e34b47d7e
071f17da843b9a60c01a2363ba7abd47a32762374711012a9f5130feb2beb7d8
fb560ae5ca853646da335a5f5103a62af230206eb28050c9e2273264dc0ba1e9
595aa34e97e38ccdcf5288a910ca47cafc56c68aaf8ce82153b93d0a681eeb49
f92d8f0727ce63ff92eeacfad78868c22b0a6b93180e818192e8f39522b55489

https://kenoryn.com/wl96sonk/3twu0732/
https://monteriaradio38grados.com/93dqf1b/2778/
http://dsiun.com/wp-content/plugins/ku799fw5/
https://ncaaf-live-broadcast.xyz/wp-admin/v532/
http://digitalvriksh.com/database/g31259/

Creation Time	2019:10:15 18:46:00	(Link Based - Doc based - Protected View)
SHA256:
10aa87f8618a7b4308d74e0772fde0996f61e061795ca77d55bb19140408fb8c
92bc10e9534bf00c22c9edc4bc2965b9f777e125d0f6fec0ba4ae5aa66d52a94
0e1c8745e9301ee229a0dcd69ad6519b1ab98d75b1fc7890eea6601200e92641
1390bb4ca3a11cf7fb677d31f845c6df22624ae93a6d0fffa5fb9e997427bb76
790618be3c6fc1f6b98a62e75fbafb8fb5fbd378b29b54fbfd725d6abfb398a1
16db9fb903f2c7d2d79214c581a5e7ae8553ee83316a3912b7ed2c0d2257dae6
f0082efdd26c03d43cf0ee1a505a30443ef74a2c115cc40748f491113dc23d05
522a014557821c0a84fc89a01725a56932c0cc7980f5b911b33ed0f8a24ac9b2
08857d1311208160a289e95a5400bf81f716660d14902b248b06d084f90347e0
f5189b14ba8404fce5cd40690ba836b3457f9377f7838ff9faa1a601f60f79b1
2152fbad3513dd5379c38fe389d4498b91658d48d51aaf5a1cd0c459014d6fff
bad065ff3070ed4ed599ef360d856c32f3ce24d2c3dfdc509b8a272acb9ccee2
8915156e0bccca9cc915aa92a8d9187c7d76572c27cf10a0174ba45348df215d
269408890a0201546fd9e6491e9faa69a23ef14700a2f44c5c0478e6f118754d
c44d05684e1a24af563609b4401f1040899f66fd141e72bd2f8196a922ac0cda
874c81af86050772d38b357b20b1277b990a3c9d4aca1d075621f91d56508f5c
ce1b1e121300c81fb4911ffca9ad4e9ff9c97d5bfa891ab0e63dafed0e7a2b4d
953ddc2a4551a854a56a8efc2927d879e20990f876986120b0402f94f674652d
e7fb305c158c9c88d143780bf5c101474d9137934e62630954144bf3c4dccba5
3f1bbbabe1e05b9e43fa5ae0e9d5a96453c56a69decb0ad12ec95de41413fd32
3c866e75a06786b1d89e1c36edb4cf09f01efcb0f21b7f7ffb1f8ce1f1417dd8
0566088323877077891156736a05dee206c8e437c78cbd78a6dc62a3f8c16f73
9a6c32ddfb492db9dfbf6c3e0de1f1c8cefe2f7c47345fa41686e003d58f7041
f590d423af75fa8cf6a5915a1ccac8257c206069ec9f9977abb7bbe4213107ee
24284175584e1fc385fdd06773ebb6bc7949e44aec39640b441b3fc18dda66b2
7e6cd597c941c7dd8bc8d4b63424813995facaecd61449b09c5ba3d110059475
b3001ce5ebfb490e697f2c70a1054db46d00e1f356d4a093e6d86a070a0595f4
399af038b85ac6fae04518f8184a3a1edbcd7bf1431a3040117841076c98b8d0
fc5fbb257f31fb177294ab6e6f3ea04a8970494055a12b1bae78369191b84cad
e9f57a3baab078932a1ef837884717faf5e5848597b197f9fd51f7283b23eb78
f8fb24fd3ebc27ca286d789288b878be6007fbb699e885cb5a6cd38727103a2e
c6ca39cb9c082a15bd7a642f4781d0879f1b2ed3431929cc545578f6cb3f1cdc
30ca40f3f7c946b5838a198828c9e2512f78d6448edc61c1804c739000e8fc06
f4ee1316bd9c5f7ee19027ac6abbf60cb38e1c9a87d26a5b184a4f994abe2877
3320584b9ff8ec6316f5da22e3c6e91a8350e28ebcfc186f8b964aa492d53a5f
ae7f330f64b8b88b3d0d6dd7331e54a5d5402d47da8962d5bb7d08ea1f354b64
4bc057f3db3c2ef84fcf01de00cbcc80409e7424f0d8bfaff37b95ccb819d919
ac7dbd4b542c99263be54d207ef3f3edbffb3c949eb18947ef798b06d8facbe3
43b8e0e61fe4438bdaf676f3acfbd240f2ade1afcc726afd06b3b665660bad41
5dcae1d06a6878c8e5fff686b26b0a1d9bab8f6abd58517e407c6ebe2287e19f
a25ec185bb5d2cf2550b905eaefb84db9baf87291aa2e257ffcd031dc99f8afb
907cadf4a15eeaa1a730ec11a0267524e54056ae10f1f9fac8e1f91b6fdf1c18
304af803ae5f29e3c64a5b53d9d338dab0052b7a3af59731cf9816851c0ebf01
9175adcd422dd6bb1cd00baa05ed4726500e8bfc83483d325bc62df2412ba8c1
6b243bfc4f62852f7ae8d56b50b0c7455d24f7677692cedbd93283b929028d53
92f2129011ff40887e7e13b8e989b3e9dcb8362149836f3799eb3e627922765c
14715f5002046fb51bb8b6042b84289c33154146b32da3f822edeff102503bc5
5e9aadb1e017e1a38574147a1003ebe71a088a68cf9996cffb75fbce6b0edecb
d2c49a1be31fb4609daf01aa6db60d363102e6a9c28bd39c4b81819f8da1d5bd
c6ca39cb9c082a15bd7a642f4781d0879f1b2ed3431929cc545578f6cb3f1cdc
43b8e0e61fe4438bdaf676f3acfbd240f2ade1afcc726afd06b3b665660bad41
5dcae1d06a6878c8e5fff686b26b0a1d9bab8f6abd58517e407c6ebe2287e19f
a25ec185bb5d2cf2550b905eaefb84db9baf87291aa2e257ffcd031dc99f8afb
907cadf4a15eeaa1a730ec11a0267524e54056ae10f1f9fac8e1f91b6fdf1c18
304af803ae5f29e3c64a5b53d9d338dab0052b7a3af59731cf9816851c0ebf01
9175adcd422dd6bb1cd00baa05ed4726500e8bfc83483d325bc62df2412ba8c1
6b243bfc4f62852f7ae8d56b50b0c7455d24f7677692cedbd93283b929028d53
92f2129011ff40887e7e13b8e989b3e9dcb8362149836f3799eb3e627922765c
14715f5002046fb51bb8b6042b84289c33154146b32da3f822edeff102503bc5
5e9aadb1e017e1a38574147a1003ebe71a088a68cf9996cffb75fbce6b0edecb
d2c49a1be31fb4609daf01aa6db60d363102e6a9c28bd39c4b81819f8da1d5bd

https://yourgpshelper.com/wp-admin/vh6228400/
https://kyokushinmiddleeast.com/wp-content/d4hobs889/
https://tamakoshisanchar.com/hthz91/k6ilycx353/
http://www.bergamaegesondaj.com/1t20111y63/ic5501/
https://www.organizersondemand.com/cgi-bin/6vtd7304/

Creation Time	2019:10:15 14:29:00	(Link Based - Doc based - Activation Wizard)
SHA256:
4bfd5a4e581dd85cab23508eecbcbad89550cbe060408be3d747d1e8eea04fd9
6815ab89d025eae163fcd448aaa4a87f8730ee8961b724a2b3470360dc9037bd
18000ebe7c49c94eca6e58664214f97c3185969abdcd2044c70299928d42aaf8
7b95dc2b98eb124084181e9dda48bfa70045b870db5caf4df15aa61a3ad92714
5a8412ec688e8386bb2730ba2ef807e6cde91188100d5059cd483616212e1598
ea45c1d1a4d48b7ec172b1e918631f8232c6f1c140cee0e5d96ce268f5f873c7
4d7c1c7c4ff40498bc65ad2f4aca01a7922d25d2d4af1098e5bc99db4f9adddb
74230383430602f2b347920321b50ae83d3fd57239d330992fe4ac8f4afc8bf2
1bece13571bf31298dc30330de0f43eed3c1c2f4cbac6611cff004745743abf8
ae9754684f8deeb5bf3e3c92c0c08a5d6427292f27229801a7239674c0c3f98a
c1b0e020e6c4fa5acdd45738fea950410f145686ccf8e4bfe1043ae579b5bb1a
c899750aec102373fd71d7925e2df439f974a4f568095f119525bb3ca2f29696

http://nazmulchowdhury.xyz/wp-admin/436n7t4/
http://www.cmalamiere.com/wp-admin/ta04mn49702/
http://nuhoangsexy.net/cgi-bin/a8hfqc0/
http://shakerianpaper.com/wp-includes/rfl396/
https://learntech2earn.com/learntech2earn.com/7vsva2359/

Creation Time	2019:10:15 10:59:00	(Attachment Only - Doc based - Protected View)
SHA256:
e061fc196548258cdf45ceb1fe070b3341b126ae2dcc228a50f64dfcd14ce5a2
7f3ecc0a0c414c22b201be7a7e9340b176b904a759f2eb0ef6d7ece60b94fac5
f658562149b0bfe1d2573f6944f1f0c9a685964d6520e8ec94e06c61d4cd7ba6
3ee7382ce422f248581ce2b9bac4fede98b404476305372b5b5d8b2d0a526860
723665559d82ad10ff008347bba19514ae4dbc74081d0ea4f4e6d2bc6829b9b2
0029ae9d5f47187d586e165f0c8d6570f45b02b5119ec1017db53f361c00a64e
23a1816874f187f506dcec05e215e6aa9ad2e5aa5ae724fde708d09811211927
3cc81f3afddb01557b191ea19b85f9741814c3d91740979244e8a6f54c1dd27d
c10f92893f43eea05733b1b4b8ec0d8aac8573a5da19c79a26f2edec85aa80fe

https://gpmandiri.com/backup/9uda06/
https://amazingbdshop.com/coin/f6bvd843/
http://socosport.com/sitemap/4is36803/
http://mwclinic.com/cgi-bin/p23602/
https://www.technicalakshay.com/HiBossRefer/x3ywyx44354/

Creation Time	2019:10:15 06:30:00	(Attachment Only - Doc based - Office 365 Light Blue)
SHA256:
6583f644ae00be1b2a7065d1968db14e3bd800a2ba85bf02fbf4957f4cf25f4f
e3afb8fae1ccace6f21f2dfae82b06b4027bf3d65d7affe88f4e01a32f10f77a
f4050822237ae5128bb06dc93ef57505096ce73bdb8c01d94d6ad6173f48424a
0df06a7276916bee5c55f6945444661e726d3254957f380ac7bf9a5faaeaa0f4
8fedcc1999503bfcfe1c5f6c96a43bcbdcca8f12b81449f120d7adbbb8981565
592408b90e55cb8b8a313766e7f9e93d3f5aa37da57e83a8173688a03c374e95
7050b208aba6653d1d215066f96335a95f44dd413eca9073a1186308fd4c3748
9d5e30a8fda7248fb95fe78154d3c8904142c49deb17b44eadb1a7d9c3c0b807
5a892f00438c83f38c17eceef0ad34ff1041d573f00b1ebf2c149149be3d13c8
f3ac3cb3c32a7bc99099f0e4cf3c15d0be31bcfe575c90aefedc35962b3790ed
f65d26f21c88de99e8a3899d938492ed695b451ddce518c8e3b20babb05482de
9f526c3a522915c297de0e18380598309d22d892e461ac2bb41382472c10882e
5b13915c59441e32692d03e1df316cfb7f23b2655a3f6d2110467621391918a1
69c81cf5685167a686f138026336486cc7493ad59e9fabcc930741e780f0b142

https://luaviettours.com/wp-content/qk10566/
https://rocketbagger.com/0iayq/7m39842/
http://rachel-may.com/stats/qkn501182/
https://za-ha.com/test/g3h06/
https://jkwardrobe.com/zvap/nh48k06442/

Creation Time	2019:10:14 22:32:00	(Attachment Only - Doc based - Office 365 Light Blue)
SHA256:
5543a1bd3b54c1ff0d959d64fa2dcbe7922adebc3155a4422339b32b013de45b
42876a385bf2f356a43e67d697120123a9ef949ec88587000d5b27ce605bd041
ac771f34d05f5150695dfcc652491a2500586f5a6bfd060c41af7e4c980e7c0d
330ac3789801a0269b50ba9bd156d40ca58953ea84e66c54b792d4a78a460a97
7969282e1f1dbdd27c157f9059d807fb79b07cfabde6c21c690940939a7c19b8
6aa2b7943181cb77d0a8cf25b0cfc6b57c1f20bf3859c3ea24ed2028edb7d375
c559ce796c179fc7eb3bd1b158ae13a49977fc5ba41f3b01fe9f0e74e3cd2816
649f6bb4e5e7afe04481f9a1afcc3b0b43952a5ed03fd7df9d1dc6accb16760a
4df3bad19f2377a1591cc52d768b20fd9bab4a2ba34bf3ed01502dd514ee126f
4ed323a010761880a295015526c27686adcee666bb988f22084b8d821b9cfece
b5b71ae1322ccdf789600d147b5d71efc1ed2bbb64fec89b57ea83c7a6539d30
2e0c18e745a559d60f15c6aa3bd0d15877bfc9e1cb1147b1440435b840bc665a
0266554fff3f06613d1843b8c4fab78ff24f7b0370905e339eae2fbecc42e962
c3d357a6d7dcc77bfce817971f7e19ae16d072a67dbb8ca1afff2a70b87acce0
d2f4ddc19be4d04b68e9454ae9c190b6d2680f94f9d1c03bb6e498bd8aa2b14f
abfd1df828a90a4e451de42d66163c8d6e81a48c9518f50f29cb4e0624bf6b06
0becf2fff586ac24a52162721e3852655e20f6249052df575a6d161bb478d8fd
8d6fbe6f8d571269d098a2b59ce71f78259f6be7042067e4c8c355ea122f9c4c
69a55d53310ab3bd2ff2e9f7eb2541e22b2de62d665dae5964264003898d71d3
1d33105371aeafc19ca4ccd297e6b51d25bef7fc78bea9fed8732949fc7dba57
806398f2d0089c0b3b667f962be7c9fe7a8af2f230eae8b4907f1722b531e2d3
dd510d9be830c14f4e06cc6626ab31700299430dfe98d19507fe7e4dc54292c6
d79faccaed0250f79102b97be15a91349ceee0aaabead6027f63dda6961b6f56
98e6e1fcfcdcd781dc6a6ee78308caebff2089564750ac7cdec363759f64069d
ea12af3ca9287acb75995ae2f3bd9f015208b73392e485129c7a73ec90cb0071
115024d05c7208312469cb4bbae754d6e883c4ef6f1710a7ae3a2754f01335e5
6562aec794ffea9ec4f8bddde4f20d67c20d04f73c3b8178a3a59a897d2cfb3c
1aff9b8cd34eb9f94eb1d595f919826dd34484594b1347ed0df0fa4ee69ffded
d69691f4567bd9f036fe6331e8e8823ad4914988c7df0fdc459d7236d0972548
6dcbaf2188565661608649c6ae0e0a5b274add5bd0c1ac2a7fafb3c9d286823f
ef722fab41d2e7a9a3a9fb19840cfd21d4f995573852e12bc60102e0d0f8cf0b
f71129f0c7868ac0ce98560b0ae66c2c7fc749aab2614babe5f1d854f89b10b3
06f1f3ab993e994fe2b14126c50f009854081f55e52e26d5f0e2a325c5c5280f
419fab9270789386aae58bff912099873dd87dbd4bcbd3ac64b63d46ec9c5b5b

http://www.offmaxindia.com/wp-includes/smu471/
http://ahenkhaircenter.com/blogs/k8iuno285918/
https://dieutrixuongkhop.xyz/wp-admin/rts7nl6310/
http://bluem-man.com/wp-content/uploads/2019/10/btrua567818/
https://agusbatik.xyz/wp-includes/5e6252/

SHA256s for Epoch 1 Payload EXEs

3b84df99ab9980cfb87380d48f8819bd217eea2553e3e3d2a2942ab35a1688e0
908619a387352495ff2ea2d8e46c70aa1e390dd5f6a87e5898d5eb146e30cf85
4ccb4e885119ed8356f145caa1856f0b617701c6fe85e2523a499ca4e2959da2
5a51b5ef825d24b6c6e80a155a2a58d9f5a80f6d34b3f45059a38c6073116c09
0bc19c1c25a5884dd846841150c9de183a78a509e6480536e5ff723eef4e188a
447a57b8ca984ee2d39cfe7e879a2a79bd6382d025f733a7553da87a4b1761c7
83b59305347b3939113353adcfd1f8cefa64f97a7ef58dde3d579471b4f0b935

Epoch 2 Payloads by Document SHA256 - All Times UTC


Creation Time	2019-10-15 23:01:00	(Attachment Only - Doc based - Activation Wizard)
SHA256:
a2eb4f874c6413b15efaa65685fa08b732becd0b95f9f475f3cb73bed3829efe
218c45c91fa0be74585431f8c31e051d14cfb4f7c4d2fd8fa907437a0931bb92
8bca3619e1d96a4f65c87ddf636f4b8c2ee685a7b9498ab486e79ceae8da118e

https://avizhgan.org/wp-admin/ovUE5/
http://specialolympicsthai.com/wp-admin/si/
https://clubforabeautifulpeople.com/amazon/o8ipu7/
http://alefban.ir/wp-admin/t1/
https://stmarymagdaleneanglican.com/audio/6j1o/

Creation Time	2019:10:15 20:22:00	(Attachment Only - Doc based - Activation Wizard)
SHA256:
028ae05dcd0701c88f8a84b7ae03dc831e02feeceff2f6d4a918f5f9fbb4151d
70d3f1e487250b276d1d1c623aba03396ce3358ac248b06cd6f61034d674a3c4
44493ff5aaaecaa4766b4a635e18959a4969a0e26731569d3123fbba7173097e

https://outletsmm.com/wp-includes/LLRy/
http://gogoldteam.com/wp-admin/iaurh3/
https://mipitaly.com/wp-includes/zsw7/
https://armoniaterra.com/css/whh/
https://www.tastytasty.org/cgi-bin/itz6eK/

Creation Time	2019:10:15 14:24:00	(Attachment Only - Doc based - Activation Wizard)
SHA256:
2c86551de2ee6c2d5efc4ca6c9827e39d8cda122feb6918c0a2589c7481a9a2e
0741442af57012483cf19a051af75c8d88051990e97279cecf01e30e28f72924
dff2f28ac588547f2dac0a18adea063b83f05e982d8c8d30a026a7ef4f957f7d

http://alicellimports.com.br/wp-content/v7y/
http://www.orchardim.com/wp-content/themes/bb-theme/xVZcU/
http://angeliclady.com/wp-admin/3zha/
https://www.quantangs.com/a7421hv/ugr/
http://advaitatours.com/wp-content/EcdN/

Creation Time	2019:10:15 12:30:00	(Link Based - Doc based - Activation Wizard)
SHA256:
df91a1ac4a5bd0b217a595df36604a3fe138f48d993d13cdd63001ed9a7b1d21
917b85a446b5ea93d86bd13a15a9c326b877c12a93625ed95697815b3d0f81fa
f376290bebb4e9024c73be95cd740e69ae9c415d8ae687b62f81f4accd82885d
2d2a788d801b54885935a3885a9dee4c055925dfb823dcfadbd6efe55d1fba75
7b931ec5621709d3969812592cdb50e0882750e2c47c2c4365a34e7fc5fa0266
4575a77ee3e8d1a50e28e875e6e8885d9d5b3552adbcaf4d2f2b649a9e8b6342
08645769c3949e27fbdefa1f69273106cf4c0f065b0af5990faf096a6a9401bc
26975d8df7a6f29d9b0738cf129c05a09dede7f49087a4e9b4f37389c8296031
769204bad8c9ca952dd2e0e890c11be7d55b8b6b97fd3b71da64c9d8e5d15622
a4eb8657310c6007cc7cab45abc85c59fb8507da4de10f9a1cbed23f533968ff
368069025a5bdbd8c2e6faff0f923d0af11ae51a9c054a831cf47bca9568a015
475b0fc3657d161c2a5595049dd8a8ea526ae735f0b9027523e074afca7b8cd4
808a824fe79c041ec0c10f085a59a43f4dec3eb115060ff5c41a0fc03eda8e61
93ad00d8ad19d4e4bea1f2173212eebf130ad49155ce9664fd0acb84309da54e
52e619486a1a33966a6f66e38bb9d7141170359550fbde3a762fee4d61abcec3
eeffbfb3e0086690daabbe8c06da48d8b733f6d32faf805b46f579d48a826617
bdbbef1b94ec083476de03eb8663202b23ad61a10feb950a1618b92f33379d21
7d662e561cb87bbe2e9364ad01ebafdf698e6674f586911763d78fb41a92b608
b8312b2f2307c96f88c50c350d00ee482d5239a1df056bb13d9d70d5a3cd5572
36592afdc56324618df8484c3b22fefce0938dd2b744a9a7ee16194e65901a51
96180e36f1aaf793b035fd2fbc43f6e391654bb45ced84f650b7a1f07ab1651a
01f50f9a2cb84c55c22b7180d292d1bc114a9199f21bbcd11636ce40e02b9ced
5bb9ef6c0425ac7e802c8d85cab8edaeb6ed76d50750689277061ad74494012c
b53f91f1a89c24134d01940e102de3d206749566206ca2031ea972b6671ee0f2
b8a95a161aed8a5972d5e58e2c73e2f2c5ad9a4bb0451650ebb469e79bb9e707
dfbaeef579e35bc8558271dd31d06b67ffc777f1d4bb1ef3667bc0417d661dca
147fe523e1ae4348b1f48636c426ef9b6e87ed2e9181f40001202cc4314e947c
ea7304c60683281ff965fecd5aadfae4f638ee29d0029b655ad0558652979854
77f023e563126af1547f88944d2731c45bc4d3a1396e659a830796d6017b370b
335c45e434abcfea56e711f07e70b1833c2ee3a908a0034d4a06014757a8829d
7a3af79ec78b9f9f1f4dabfd0fa1a4a494e2d45fa8a41d8b4363840bb8c71b72
3eb08d849055acd3f33fc33175a03d5b2f2747df0cdd0056dc5fce518f3eca16
6f872a034515acdd50003e31c6bc7454b66c4f4dbff5b30438c03bca540e49c6
7547f0acf822bf1682b703d4601b317bb31b455d54b95f888934c0735cf3e917
07bc28f1cf91ee11863e948a5750707ccf4d63b5faeaab560418136c1c2247da
1104d69a7e7859e35a1b3776c3c4443f2b7629f0dd27d927c4f1e60163ccb415
3b7b7825c22c98e92b56b2f91413dd646e24f6a585ae9280aac00643a3461db2
b937c36acd7e4eb55d230612f54c280485baac8f211136e1cae8cec2ce01650e
ca286615c290329b222f383098532878acbd364f1f78946eedbf5a021af82017
8540ba3a13bdc1e30317112ab0cd000afd1f7c5cd7e37a7c9099bfab6cd0d9ea
7ba7b8fb650f52c35ac1dddd712a9b1064f626584470243d09c1026286133699
4602ca95349e092ccf2871ed672f3e25e5e075e1c77347f0dcf5882ac8b567a6
9986cf3834a40866e18074e8e116af8b84b20430378f0ff03612a0ea353306c5
374ca70244e5e03fa21a16a03cd0fe991ebf9adb8b16bd36f7c2925d5e42b6c4
a82d0be951b1d734863c19cd3612fee7b9729368f77edc12d219e7b0b99dd453
45f3098fcbb8f0278795a46dc5b850cf584e15d4e920975f72c41c3518ea3cb9
ae869cc6ab914b7172ad9d671a10c91ebd5c6d1d16877aa7ca7b77c3e1cd7b27
0b9ac38e0728cf2489128bea67c59f345f9b4e72e57eab4769b4f833433f523b
c5cdcc1bdd5396be718076d23d8faa2daed0d19490a52f1fee34a0f42740000c
af93df491db94871e4bfaebf33e030a9585e63bcc4a07433ecd8924d1494d301

https://mokhoafacebookvn.com/wp-content/themes/lalita/Kj6VMJsiof/
http://newgensolutions.net/joomla_30/n0k0/
https://sodadino.com/wp-admin/gczk/
http://www.turbodisel.net/wp-content/8AsE/
https://codedriveinfo.com/RasilaKitchen/rUJtk/

Creation Time	2019:10:15 06:37:00	(Link Based - Doc based - Activation Wizard)
SHA256:
705cb2b6dede75c722a0b001ed9797b729465f113286b495a4e8e78998ac557a
8a24fa5559548b9414da1c76e255e4b5cf6f16cc80d5743bed869599bb1418e1
00e1092958fd08006fe0bc5955fc7a8267fad03f8482e2dc771ff1c1faff014b
1217b4f2d31bb80eb4569f319b245c24b5b177acd54c6469265a4ff7067cb322
8cb5e9da02e80e27cce18b1ff73fb3b0cc29a891883f70c3b4ec0e2ee3c7f1da
1cd3e25d85cf6f45c8358982bc52f8ba94b5d693cc7510fffeffe38a3e0e2e52
05fb49211d189621125b1da0ad3cc485d2924c0ac1d99ff5a7b67d01477584a3
12f6da35f09b264ec1cb9291a7e050d62cadae6ff5bee2a6d2c42627398b71d8
ec4813239bd8758d3b9f21a904c59a6034e2a69959e2cced38531aa2f2d578c4
966289e3ea024701d4a9100121a23ec111a1db8e88cd42ed4a7cfab0265376df
31f247266240014d6274494f0bba4e99bb765258a8f46eae877a72264478735c
b74640aa4bd46979ea19cf3cd39e4cd266aec24b2b534b68d8c859ef1a886207
e92d5d54d7ac67199e8e1d7e67d86412c97f1777895fc4666e976b185dd552f3
c46a6d3905493802ab18ab5dc2ad46ced25cf65d086a9d60dfeaa566109182cf
1e026778cfc7779101b31b1b5124b4f6ad0736a6d87fbe8c74ebbd75b3e5eccc
bb7c3803c2e92524a13029bc1e9f5bbe2f174e51c024f42c4977f8ace99d3af0
869ee3ef69eced65c65e2258977215f1c18e4ee76eb8ed4e2d09f996afaa0288
199617b42b2ad3331132598a5fa74eab21a096b92e5659eded73b5e29e52bc78
d3b2b51765b32c6e9db582e6c2037014b003624dd5bf1929219e6b64a04e9ff5
d6d7a79806cf233ec3e0e08309806a9fe41ff409611700feec7840c252950130
28c118eb887eca2318d20852c58da150a74f83569f4eab9cb521810744ba0341
cd6427a75f50b379d208de9f2d170fa95a368923d647c07b019b80ffd5cbdbf6
fca83d5f5968ddcbf3db713307fc5100a236438446552a24d04f3386e8f85ce7
a512b3690cd8f5ad1265dab5c7634ba847d886de0c461f44a3bfb55e8a8c6068
1dad3f3ef99fc1062be000ce7621dc31c956385a440d79577f60305a0bedaa86
ce7f6400c83411937f920292e56b0422904c9d05e654b70e958f6af8ba3727c3
76b115608dead1bb0b2d479cda1de6ee10c42e26f7c79fe994fc1bd107aa2b4f
d83f25fa068aa77ef1bc42c51e4abad8905ae6803679d5172e7b7ff8f7a33e5b
bc8cb8901daa22e155ff59efe9d04d0ef993633c487cc22928b08a318d081b65
37173a83addab2b5b045990499aaa4c510606b2c96c336c2522b38d0981bc677
415c38813cce1d61c555b60570975df11a09ed33856b25c979ed7240266461d5
c17b7a04dcbe5600add8cdac558772a87753701e3f4c444f56ee470830dbf4d8
00b4e81213a7ace5d34dbe4adafbd930db6c5022506ed04456db95836d31a59a
b6a6fba787c6272bf0cd5355e5322ebfd495d441bf2f9f10dd71463bb83be998
2476b3d12d8306b26009e5548f9300f1fead6f879383cd33d242bf932a3f43c6
90621ba7b9506705db5f6475924186ee10b9987927b478d76a3d77996c1ccc3e
fc58835652aeef6d647436e9e7df55eb91b845556edf25759c46dc1232427bad
90ac9ea79c3480de26a8efaa2e4a26c122fcaffdf9d33c15201c24f202d7c12d
e1f0001dffe449a13eb4595f3640db4acd46594014e3aed6854e9cc2edbd92e1
3ee20248770fc12898c56d122499e23b7c9a381cdd9800dffcafb1f6784b560c
030ec12fc05a59afe05b97a138af6fc76b23e2ad0595b8a9d07b86c5fcf8c95d
3a997ff933555c9e8a622903c9b2b872b1823548fdc1d29e8caa9a04792967d1
d8afbf71b6549643dd9c8fffdeb9f155f47d79146d74ed3068b800e913960711
fc92865d4bd2021f7821e6d9a5c3edb3063402968538d1251126ee83842ac484
cc74788cd16341049fbbf77ff76f63f12bb0fb383b70dd991ea952c958cd5a27
56b3153042ca226e1bb415ab6ced0a2e167bb5d3b26244fb0229e4d42cd4de1f
673603f8767ff4f48ede8b9a9468d1cb0859156402121b43d74f0a98e00cde8a
37928fe6a405c74986abb3929d8b81f47184b8147ce2d0e6491a1d551e8d735f
a06fbcf8e9caf46cdb8a93636c737e81c672d5d2a5257bc08fa950f7de41fdd8
c789835ff2471f9ddb45f8ddab400f224bc80473e11c21ae7f9ea713a5664fb7

http://drapart.org/Prensa/wn/
http://kikinet.jp/ds/b54LWnii45/
http://pbcenter.home.pl/pbc/ib3k/
https://proxectomascaras.com/wp-admin/FUCPOXyKQU/
http://blog.yst.global/wp-content/languages/2jlffy/

SHA256s for Epoch 2 Payload EXEs

8eb78f57619a173819ea9ef22dbebdf89bb7b0497c29eb6e3f0c72413049cac7
a149195bda6d322f2b926bb355db34f73b109acc33fb9d89cbb6ff49f74962e3
deca3be654504d28d58507d7d847b1bb35c9d23535c008ef7ce27d9ad1a23f5f
1bfc6da346cdaf9662dfb63af5decb9fac725170815c31aa5ac5fe8691444c1c
88cb9fee414906e4d55a82c4c3564bb1181072683db1c3f0e9820090a6f40072
6de788187b9a790f0a378b94f02582e1453d4f77f5ac4c742c7ffc4bef0ea157
455ef6d0b604616a90a98f66c763d393267e97ab85134e328db164c7f2ba7a03
0897d9a44d1aa4b7afe9a3fda15c54d9062ca988c31201386fea03838734e7f2
8245d6840bde1c3d2fad9999d01e33702d237f6aed4b45d5ffbc9eca54e76309

Epoch 3 Payloads by Document SHA256 - All Times UTC


Creation Time	2019-10-15 20:31:00 (Attachment Only - Doc based - Office 365 Light Blue)
SHA256:
ca233b0697ce71f04a9e6e71607824c5025d0a322c5655317f31a9ff8faf9724
8fd59e9d4cf0204fb2150669371ba4b76b21a240c69d59dbf2046289659e0339
f26b2247511e08b80a30cc56ad3d320f0bc3f9736311b4c1a9ff0b01556f0a3b

https://www.showlize.com/wp-admin/UEZadGA/
https://volvoselektshop.no/wp-includes/KoBdQv/
http://hardpro.online/wp-admin/MsdBsRq/
http://4carisma.com/wp-includes/6yuc4j-b4bav9hl-78292/
http://tour.nicestore.co.kr/wp-content/9eud0sth-corn4suz-8842819/

Creation Time	2019:10:15 18:41:00	(Attachment Only - Doc based - Activation Wizard)
SHA256:
50ba6c11a19df2620491682d944eefd0ad856f1253c59b4959500aa0c5182a60
84a7a9dd1e4fc9bc8e316ea6a894d489da74ab4208bc5a2fe9ed06bbd98eac55
8778f1762abf9b1deae0d8b76105946cb3a25332c6335dd7e4aca5bbff499116
a148042d873b28da79ba005e604a2e7d28227830fe1264d29fb679a8e23695b7

http://www.vatro.cl/wp-content/8vf1-mheqjsye-27023898/
http://www.wferreira.adv.br/wp-admin/CbBnUJQ/
http://prewento.com/imageupload/eghdelc-zhj9tjrxx-38035901/
https://mbve.org/wp-content/tUpjsi/
https://travelstream.com.au/wp-content/TkocEVA/

Creation Time	2019-10-15 12:56:00 (Attachment Only - Doc based - Activation Wizard)
SHA256:
614a8ef97f7f6c4e718b1fd7a4fedac995e1289ac4477bbc1f457a233f464ef0
d1c49eeb9e4350c4ebbd656ab9d6fa457c3a057b25755d41104854eb410081dc
d3d0919a80cc46fba029eb2f331804b34ca4ac839f2291843d31a91912b516fe
b9fab5e620ea5ec59c44a3872cafba4df29184c9575a24c2938652ab117853ea
3207b07d4dad052adf1f5447b56722f8a1a22186e5c49e3478d85be6766f0dfb
40c4beeaa000e872f1dda534948f075daf934fead512eba803296db0f591a598
0437364c362b0416dbc13ec438f3ac833e2f247e40f6a1db33720e07197666d9
7d832f2a1a8cce5a4bfc0167af31d1eb5bb9727346ce70dfe6d3dda728d9297d
79bde91228ed0e22355d282894439abd811b19d99d4c16e14565f9289202fd20
39116e70ccf0ca32b442f140e24bb2aad72584275df034cd9921804261a556a4
be72c05c4d22e148571af37229c198237569ac33db54c1808ea54b262cb21cab
7238181b9475f8848e793cba69112d5b514840ed00e7a20793ae64feeb708383
ca5bf3d75505de3906a5d934bf39efc9b0bbbb2bd6e5b573ebfdd1b9a4186717
4aa739c88b1524a5dab32949050d69a170622e979302b2fff4cbdb842061d118

https://www.billboardstoday.com/browser/RmFAYq/
http://www.dipeshengg.com/test1.dipeshengg.net/tQwvlFnK/
http://atlanticcity.com/bignews/wp-content/cache/wp-rocket/WTySNG/
http://pharm-aidrx.com/wp-admin/CebJmLd/
http://muhakkikkalemler.com/wp-content/yfzxewwU/

Creation Time	2019:10:15 06:14:00	(Attachment Only - Doc based - Activation Wizard)
SHA256:
fe36d7abab37c33f53f880b854adbdc41c477c29e22bcd4c05157c64f1092502
acf5ae92cb4790c618954890e937bdee1d7d4f0cdaea6d5a7830ea458a6dfeeb
2cac3bd06e20880356b15050a2b8c68c91041e898d733820babfd9f9a6868c6c
75b2dad768ab13fbe100739c5a0fffed2da92b3dcccfed3876e86df6d5fcff2c
13b75ebb603ecd470f6d4a374bb81cb9770aa95af31e6fc2926ccff9d432cfd0
1606d9614cdab77b6d8b6b85e72e89a799ad6c12fefb44da496642fe070f9c27

http://medienparadies.com/wp-content/bvAXLWZ/
https://www.8hu.me/wp-includes/ihgyi-wmhzz3e-35993/
http://www.mscr.in/pomyo/8dpt-ok5r9-195/
http://gaspardetvalentine.fr/wp-includes/go9v14-d2ynk-011503/
http://cert-center.ir/wp-content/9lwy4-zp25txg-12/

SHA256s for Epoch 3 Payload EXEs

1d87e313dc2ac37a7f618221614cd21616bf368cc450bdec07fc00f5ba99af75
95ece329880c6772146256a7efc273bfa7b8228b37fcb542668a58e344f7780c
5d4f975ecd81b7b7b137248174b40ed935db6a9aab30279e38dddae4a5ab7a8a
78ff30dad5b8e1f4ed05f2af139805673bf567b92c8ff17de0f3212394c7f0c8
bfdc3d72a69f8b5d91dcd726788840e6aa5d3c748f71ef0cd047de44f85e2798
4bbfadcc074943af243cae7a9425575614e27b446b323f1db450c37b6c74652f
1ad0035a970f4babc4060839210c385bab09fac65651c8d15e1284b95feb7f35

C2’s Per Epoch

Epoch 1 C2s

104.131.58.132:8080
109.104.79.48:8080
109.169.86.13:8080
110.36.234.146:80
114.79.134.129:443
119.159.150.176:443
119.59.124.163:8080
119.92.51.40:8080
123.168.4.66:22
125.99.61.162:7080
138.68.106.4:7080
139.5.237.27:443
14.160.93.230:80
142.93.82.57:8080
149.62.173.247:8080
151.80.142.33:80
159.203.204.126:8080
170.84.133.72:7080
170.84.133.72:8443
178.249.187.151:8080
178.79.163.131:8080
181.143.101.18:8080
181.188.149.134:80
181.29.101.13:8080
181.36.42.205:443
181.44.166.242:80
181.59.253.20:21
183.82.97.25:80
184.69.214.94:20
185.187.198.10:8080
185.86.148.222:8080
186.0.95.172:80
186.1.41.111:443
187.188.166.192:80
189.160.49.234:8443
189.166.68.89:443
190.1.37.125:443
190.10.194.42:8080
190.104.253.234:990
190.221.50.210:8080
190.230.60.129:80
190.230.60.129:8080
190.38.14.52:80
190.85.152.186:8080
190.97.30.167:990
200.51.94.251:143
200.57.102.71:8443
200.58.171.51:80
201.163.74.202:443
201.199.93.30:443
203.25.159.3:8080
212.71.237.140:8080
217.199.160.224:8080
46.101.212.195:8080
46.163.144.228:80
46.28.111.142:7080
46.29.183.211:8080
46.41.151.103:8080
5.1.86.195:8080
5.196.35.138:7080
50.28.51.143:8080
51.15.8.192:8080
62.75.143.100:7080
62.75.160.178:8080
68.183.170.114:8080
68.183.190.199:8080
71.244.60.230:7080
71.244.60.231:7080
74.208.68.48:8080
76.69.29.42:80
77.245.101.134:8080
77.55.211.77:8080
79.129.0.173:8080
79.143.182.254:8080
80.85.87.122:8080
81.169.140.14:443
82.196.15.205:8080
86.42.166.147:80
87.106.77.40:7080
88.250.223.190:8080
89.188.124.145:443
91.205.215.57:7080
91.83.93.124:7080
94.183.71.206:7080

Epoch 1 - Spam C2s

37.187.5.82:8080
45.55.82.2:8080
185.94.252.27:8080

Epoch 1 - Stealer C2s

190.115.18.139:8080
75.127.72.18:8080
173.214.174.107:443

Current Epoch 1 RSA Public Key

MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOzoTryw1r9RxRJPFKalO4+q7JaDZWSB
KZlEc22H6ITuE06tvJspue42TF1yk8xN+1bqW++QeV6Clm1uRswA/qoao/6p4eN0
h4zIO8PEaJ0C/9EO4cx9yfRLlVpjdEkP0QIDAQAB

Epoch 2 C2s

101.187.237.217:20
104.131.11.150:8080
104.131.44.150:8080
104.236.246.93:8080
115.78.95.230:443
124.240.198.66:80
133.167.80.63:7080
136.243.177.26:8080
138.201.140.110:8080
144.139.247.220:80
149.202.153.252:8080
152.89.236.214:8080
159.65.25.128:8080
162.241.208.52:8080
167.71.10.37:8080
169.239.182.217:8080
173.212.203.26:8080
178.79.161.166:443
181.143.194.138:443
181.143.53.227:21
181.31.213.158:8080
182.176.106.43:995
182.176.132.213:8090
182.76.6.2:8080
185.187.198.15:80
185.94.252.13:443
186.4.172.5:443
186.4.172.5:8080
186.75.241.230:80
189.209.217.49:80
190.106.97.230:443
190.108.228.48:990
190.145.67.134:8090
190.211.207.11:443
190.226.44.20:21
190.228.72.244:53
190.53.135.159:21
192.81.213.192:8080
198.199.114.69:8080
199.255.156.210:8080
200.113.106.18:465
200.51.94.251:80
200.71.148.138:8080
201.184.105.242:443
201.251.43.69:8080
206.189.98.125:8080
211.63.71.72:8080
212.71.234.16:8080
217.160.182.191:8080
222.214.218.192:8080
24.45.195.162:7080
24.45.195.162:8443
27.147.163.188:8080
27.4.80.183:443
31.12.67.62:7080
31.172.240.91:8080
37.157.194.134:443
41.220.119.246:80
45.33.49.124:443
46.105.131.87:80
47.41.213.2:22
5.196.74.210:8080
59.103.164.174:80
62.75.187.192:8080
67.225.229.55:8080
69.164.201.54:8080
78.24.219.147:8080
80.11.163.139:21
80.11.163.139:443
85.104.59.244:20
85.54.169.141:8080
86.98.25.30:53
87.106.136.232:8080
87.106.139.101:8080
87.230.19.21:8080
91.205.215.66:8080
92.222.216.44:8080
92.233.128.13:143
94.192.225.46:80
94.205.247.10:80
95.128.43.213:8080

Epoch 2 - Spam C2s

23.253.207.142:8080
185.187.198.4:8080
46.228.205.245:4143

Epoch 2 - Stealer C2s

173.214.174.107:443
104.131.58.132:8080
176.31.200.130:8080
46.105.131.69:443
185.42.221.78:443
198.58.112.7:443
46.29.183.210:8080
209.141.41.136:8080

Current Epoch 2 RSA Public Key

MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhALk+KlHgOKXm9eDkWu2yN9lanjwOm6W2
PV0tgr4msNVby2pOJ6S1MZQnQwxl7y6WWzT4kveAQhLmW8JB2M2PDOxZOgVMJH2C
AtkVW1p/P9jNJWVvjK9SmrbLdIeiKNtRfQIDAQAB

Epoch 3 C2s

113.52.135.33:7080
138.197.140.163:8080
143.95.101.72:8080
144.76.62.10:8080
154.120.227.206:8080
157.7.164.178:8081
176.58.93.123:80
178.249.187.150:7080
181.113.229.139:990
181.47.235.26:993
186.10.16.244:53
190.117.206.153:443
190.13.146.47:443
192.241.220.183:8080
200.55.168.82:20
201.196.15.79:990
203.99.182.135:443
203.99.187.137:443
203.99.188.203:990
212.112.113.235:80
213.138.100.98:8080
216.70.88.55:8080
216.75.37.196:8080
5.189.148.98:8080
51.38.134.203:8080
70.32.94.58:8080
83.169.33.157:8080
91.109.5.28:8080
94.177.253.126:80
95.216.207.86:7080

Epoch 3 - Spam C2s

192.241.241.221:443
185.187.198.5:8080
41.185.29.128:8080

Epoch 3 - Stealer C2s

178.32.255.133:443
198.46.150.196:7080

Current Epoch 3 RSA Public Key

MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAM426uN11n2LZDk/JiS93WIWG7fGCQmP
4h5yIJUxJwrjwtGVexCelD2WKrDw9sa/xKwmQKk3b2fUhwnHXjoSpR7pLaDo7pEc
iJB5y6hjbPyrSfL3Fxu74M2SAS0Arj3uAQIDAQAB

Credits and Notes Section


WARNING - Some links may have been taken down shortly after I reported them to URLHaus.abuse.ch 
because they rock and report everything to ISPs as it is confirmed to be malware. Additionally, 
this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
https://pastebin.com/u/jroosen
 
NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
I am providing them for your benefit in case you want to parse them to be sure.

What is Epoch 1, Epoch 2 and Epoch 3?


(09/17/19)
With the find of Epoch 3 that split from Epoch 1, this section will be rewritten to reflect these changes in time.

Community Lists/Samples


https://twitter.com/Paladin3161/status/1184089483395756033
https://pastebin.com/WTWUJBZD

https://twitter.com/Paladin3161/status/1184089200410296322
https://pastebin.com/pXwf1fen

https://twitter.com/Paladin3161/status/1184306042181545984
https://pastebin.com/0NJ2kRXi

https://twitter.com/Paladin3161/status/1184306254396583936
https://pastebin.com/56RnJ7w4

jp host
https://twitter.com/tiketiketikeke/status/1184070345671577600

https://pastebin.com/K7wcB4rt - @executemalware

(sorry if we miss anybody, make sure to send it to @cryptolaemus1 in your tweet and we will try to include it!)

Credits

Combination work of the Cryptolaemus Team - https://paste.cryptolaemus.com/about/ and/or specifically the following:

Doc DL URLs - @devnullnoop, @p5yb34m, @malware_traffic, @dms1899, @Paladin3161

C2 info/RSA Keys - @CapeSandbox, @devnullnoop, @MalwareTechBlog, @lazyactivist192, @VK_Intel, @Paladin3161

Payloads - @devnullnoop, @MalwareTechBlog, @lazyactivist192, @TheHack3r4chan, @p5yb34m, @malware_traffic, @Paladin3161, @ps66uk, Anonymous :)

Spam Templates - @devnullnoop, @lazyactivist192

Special thanks to @lazyactivist192, @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and 
helping out with this!

Very special thanks to @Binary_Defense, @lazyactivist192, @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project
https://github.com/decalage2/ViperMonkey, @digitalocean, @mploessel, @anyrun_app, @unixronin, @hurricanelabs, @MalwareTechBlog, @KryptosLogic,
@0xtadavie, @MsftSecIntel, @abuse_ch/urlhaus.abuse.ch, @urlscanio, @BlackLotusLabs, @TrendMicro and @Virustotal for providing services/software
at no charge to this cause!

Daily Log 10/15/19


@jroosen here, @ps66uk and I worked on compiling this list from all of group members today. :)
Another day and another pile of Emotet docs. I can tell you the last two days I have seen spam numbers I have not seen in months. I hit about
50 generic malspams yesterday after hours and about 25 or so today. All of them have been of the annoying generic attachment variety for the 
most part. Once again, if it has an Office macro, into the trash it goes. I don't understand how this type of attack is so prolific. 
Nevertheless, the botnets are gaining strength and bot counts now. I am sure we are going to see more and more links. 

General News


Today E1 brought back the Amazon template from last year. We tweeted about that earlier here:

https://twitter.com/Cryptolaemus1/status/1184192833303044100

Drops Report


We saw a variant being dropped of Gozi V3 this morning that was not using the tor module. We also saw more Trickbot drops and of course
gtag: mor22 now. How about gtag: les00 sometime? :) 
Per Usual @D00RT_RM was tweeting about drops:
https://twitter.com/D00RT_RM/status/1184227358011809792
Also Brad @malware_traffic was showing the activity of the latest Trickbot gtag: mor22 with a new settings.ini renamed to TRRBlacklist.txt:
https://twitter.com/malware_traffic/status/1184149648673402880

Email Template Report


We are noticing a lot of docs lately across all epochs at all times of the day. It seems like the normal shutdown time after 1-2UTC is 
no longer being done and the botnets are continuing to spam throughout the night. Particularily targeting JP,KR and HK but also the 
favorite punching bags of late which is include DE PL and ES. Templates are being sent in the native language text of the target.
That means that in a one hour spam we saw JP, KR, DE, PL and ES all being sent at once. Strangely we also saw RU being targeted
in native Russian language which seems to indicate that not even Putin scares Ivan and the Emotet gang.

E1 Creation Time	2019:10:14 22:32:00	(Attachment Only - Doc based - Office 365 Light Blue) www.offmaxindia.com

E1 Creation Time	2019:10:15 06:30:00	(Attachment Only - Doc based - Office 365 Light Blue) luaviettours.com
E2 Creation Time	2019:10:15 06:37:00	(Link Based  - Doc based - Activation Wizard) drapart.org
E3 Creation Time	2019:10:15 06:14:00	(Attachment Only - Doc based - Activation Wizard) medienparadies.com

E1 Creation Time	2019:10:15 10:59:00	(Attachment Only - Doc based - Protected View) gpmandiri.com
E2 Creation Time	2019:10:15 12:30:00	(Link Based  - Doc based - Activation Wizard) mokhoafacebookvn.com
E3 Creation Time	2019:10:15 12:56:00 (Attachment Only - Doc based - Activation Wizard) billboardstoday.com

E1 Creation Time	2019:10:15 14:29:00	(Link Based - Doc based - Activation Wizard) nazmulchowdhury.xyz
E2 Creation Time	2019:10:15 14:24:00	(Attachment Only - Doc based - Activation Wizard) alicellimports.com.br
E3 

E1 Creation Time	2019:10:15 18:46:00	(Link Based - Doc based - Protected View) yourgpshelper.com
E2 
E3 Creation Time	2019:10:15 18:41:00	(Attachment Only - Doc based - Activation Wizard) www.vatro.cl

E1 Creation Time	2019:10:15 20:27:00 (Attachment Only - Doc based - Office 365 Light Blue) kenoryn.com
E2 Creation Time	2019:10:15 20:22:00	(Attachment Only - Doc based - Activation Wizard) outletsmm.com
E3 Creation Time	2019:10:15 20:31:00 (Attachment Only - Doc based - Office 365 Light Blue) showlize.com

E1 
E2 Creation Time	2019:10:15 23:01:00	Creation Time	(Attachment Only - Doc based - Activation Wizard) avizhgan.org
E3

As you can see above we are over the normal churn of 4 sets of 5 payloads(quintets) a day, we are now seeing 5+ in some cases.

(These are experimental, use at your own risk.)

E1 brought back the same regex from last year with the Amazon Template. This Regex handles it just fine:
https?:\/\/.+?\/(AMAZON|Amazon)\/.+?\/([0-9\-_]{5,7})\/
Looks like only E2 is doing links now and it seems to be some of the old Regex. Here is what works lately:

These were revived/updated:
https?:\/\/.+?\/(AMAZON|Amazon)\/.+?\/([0-9\-_]{5,7})\/

These were not:
https?:\/\/.+?\/(administrator|academy|alphabet|App_Data|assets|backup|beta|blogs|cache|cgi-bin|checkformats|cfm|consultation|core|css|DANE|Dane|demo|discuss_lib|direc|Document|DOC|Dok|DOK|esp|FILE|function.cheese|gallery|GoogleSpeech|hino|homepage|images|INC|Inf|INF|js|lib|LLC|lm|menusa|paclm|Pages|parts_service|phpmyadmin|Plik|popup_index|public|Scan|sites|sitemap|sox62c|SOUBORY|test|trademark|themes|tmp|uploads|wc-logs|webalizer|wordpress|WP2|wp-admin|wp-content|wp-Enfold|wp-includes)\/([A-Za-z0-9|]{7,36})\/(\"|\n)
https?:\/\/.+?\/([0-9a-z\-_]{3,11})\/([A-Z0-9\/]{7,32})?([A-Za-z]{7,32})\/(\"|\n)
https?:\/\/.+?\/([A-Za-z0-9]{8,30})_([a-z0-9]{5,10})-([0-9]{8,15})\/
https?:\/\/.+?\/(Document|DOC|FILE|INC|LLC|Scan)\/([a-zA-Z0-9]{4,30})\/ 

Also keep in mind, your filter needs to look inside PDF files to find the URI to test against these above. Otherwise
this does not help.

Payloads Report


Binary loader updates across all botnets on C2 are still in sync with distro and still quite infrequent. We are not seeing much over 6 hash
busts a day per botnet.

@ps66uk notes we missed an E1 EXE hash 1ad0035a970f4babc4060839210c385bab09fac65651c8d15e1284b95feb7f35

C2 Report


E1 84
E2 81
E3 30

Closing


As predicted, the botnets are gathering strength and spamming more. Also, it isn't going to get better anytime soon with more doc templates
and payload sites per day being pushed out. Ivan and the Emotet gang have even brought links back to E1. The Emotet Malware factory shows
no signs of slowing down and quite the opposite!This is not going to end well for everyone when the actors go to cash in on their installs
by dropping various ransomware. Use these IOCs, check for C2 traffic, if you find anything, time for cleaning of your network like you would
clean your house if someone had MRSA! As many in the community like to say if you have Emotet on your network chances are you have another
infection already!

TT

Sandbox 10/15/19


E1 
https://capesandbox.com/analysis/3039/


E2
https://capesandbox.com/analysis/3040/


E3
https://capesandbox.com/analysis/3041/