Emotet Malware Document links/IOCs for 01/21/21 as of 01/22/21 01:00 EST
Notes and Credits at the bottom. Follow us on Twitter @cryptolaemus1 for more updates.
Document Downloader Links
Epoch 1 Document/Downloader links
None Observed
Epoch 2 Document/Downloader links
http://2586097-2.web-hosting.es/images/qrXM9Zow0yfZPofu/
http://ajath.ae/forum-ias/assets/global/plugins/bootbox/Q9ateaow97q3WNDWCtb7bivXaoRtTHZJUI6VujTsDiA2g/
http://bielert.de/wp-content_old/8gSTXI4pZOATaDLWEVSuKq4bDiA8FRIu4VVnRsy9Ssl1uaBnMXWCrEE8DpEtaUGeJUMD/
http://comotocarviolaorapido.com/unquality/kEX5pzsmEFr/
http://confirm.bisiakintayo.com/wp-content/5jpofmmozacUKDbLEKzD6S6nQLKeEo1tdJ/
http://digitize.aravind.global/cgi-bin/e3QCCn/
http://dryaquelingrdo.softdesigns.org/wp-content/Rm7yv3assVd1HOEKNMMqX6i3IxWweXtvdDcoA5/
http://ec2-15-206-128-255.ap-south-1.compute.amazonaws.com/wp-includes/dt8TFJqvvShcT0pSLkqLumSDPavZ9zKzEfz77d/
http://flipamas.com/shio-hk-gkr1f/j7y9Xe4PkIn0joRDeZ0DcYy2q9bSsr7pXo9FF1xNccBPl6PxmS/
http://gaurance.com/peppery/fKdi/
http://goodnesspharmacy.in/blogs/fihqvgjr43nmp5mt6bd32aj7ymimuspne/
http://grupofloridablanca.es/anterior/TVBCsBdXirh0kZ57VInarzVVmGRDDgzGSLLK9kdLGwBSYWvQLJVmnIEM/
http://hcldindia.com/php/a1WAJk41PdQTM32aBZNT8yzcwL91x55fKgZHbsHTNEiv4FzAZLDyZLDtb/
http://hqdecig.com/cgi-bin/sNI8w3FSSB44IaVmzSS2nv0oD6EiIXLq6/
http://junoboat.be/cgi-bin/jpxPEE95T1VbBn/
http://jzsubao.com/application/UXltCk58c1XrrCu4Xj7eqJLdCpnNln/
http://mmsnegocios.com.br/wp-includes/xfhyzEyLilyhjG7YqyIzNza3vK2TaKi8AOSU5gLzaN/
http://movartemusic.com/wp-admin/KxPuFj09V77nrVkj6S7VS/
http://mvm368.com/wp-admin/w3ujGAnMFlitMY4ky0ccDmecu359zOzPWkZ6pad0G/
http://mywonderfulpregnancy.com/blog/yT6uSk8X0/
http://nafis24.com/wp-content/zJ3QQDV84IXAhPVyPx638DLfgrOhbZmJlYMn5CVzdMZ2JBsaElbHKEjTXOxt/
http://nhipcauytevietnhat.com/efficiency-all-iuehb/BJug3jyhuyilWhCQs3YksSaqQW7tpyvmYpb91wTZdbluIo1EKoPE5VrBbcx8zHDAR9YT/
http://photolinguist.com/wp-admin/hY1hDtbdpHRYygChX8RxFuyd1u03H9gqdGaKN4ehikaozqe/
http://prodescsaude.com.br/wp-admin/brTy5dQqoWSZuiqboYW93gcxEkQAKW4HWqN0wKGxXrnyXF9I/
http://propertybrokers.cl/cgi-bin/j4BdkyULiYCiswVfZwkJlYaH9L/
http://qmh333.com/i/QWoxGKEAxpMOdFlrmQGtb1vXp2HyuiqQcatAdBXaZLJI1PwjmuseKJBGTGOCXaRJt8/
http://shifa.sa/wp-admin/NbtxKRENMNlV3FEKqxJWawuks/
http://solitaireclubs.com/frayedness/M3rZPu123OeKCdOa97cQB4l4Clf9qTIhP9iNZFegOwMrul2eQm9xUmaOOfREpXOfq2p/
http://sspbrand.com/sdrangel-install-qdm2q/FynTewQiDCX6XxbXVjRojqMEU3yS/
http://sub-g.com/wp-admin/pk7VSCtRc4vNosujpbaaCCfCeVcLGQwuR70h6jzsiEP6uWmfwwP4GftKRh8vVA/
http://ucmasmauritius.com/admin/xdekfyevy1f3ffze8bz45oxbhzxp61o6eielyyyj5gjp/
http://vocalriyaz.com/typically/2lY44b5ijlK5q06XNNk8xYxmzpIA2tJEtU/
http://www.angelobruzzese.com/administrator/oy3o2YByTlpah8M/
http://www.lohanamatching.com/archive/xhQHNgFb197ALjQrnmONpW0lnG6QKEs7lgNmvGp7FCIfffx3ubweAd0UAGFJNbPXg/
http://www.photolinguist.com/wp-admin/hY1hDtbdpHRYygChX8RxFuyd1u03H9gqdGaKN4ehikaozqe/
http://www.qmh333.com/i/QWoxGKEAxpMOdFlrmQGtb1vXp2HyuiqQcatAdBXaZLJI1PwjmuseKJBGTGOCXaRJt8/
http://www.serviciomore.com/Sistema/XUL2/
http://www.weinsteincounseling.com/wp-includes/NgTJ/
https://benessereperfetto.com/i/fQE2T7bneVp8bdWxUYN5TFt64nPbU6sA4dFmsJdHpkNGnYO4T1vjASsdzUT3NFd9lnU/
https://comotocarviolaorapido.com/unquality/kEX5pzsmEFr/
https://digitize.aravind.global/cgi-bin/e3QCCn/
https://grupofloridablanca.es/anterior/TVBCsBdXirh0kZ57VInarzVVmGRDDgzGSLLK9kdLGwBSYWvQLJVmnIEM/
https://vocalriyaz.com/typically/2lY44b5ijlK5q06XNNk8xYxmzpIA2tJEtU/
https://weinsteincounseling.com/wp-includes/NgTJ/
https://www.bdshuang.cn/wp-includes/NotWCrKVIB2WFn4Rp62Ki34Op814y7gOBb0OSu8hC/
https://www.weinsteincounseling.com/wp-includes/NgTJ/
Epoch 3 Document/Downloader links
None Observed
Payloads per Epoch by Document
Epoch 1 Payloads by Document SHA256 - All Times UTC/UTC+3Z
Creation Time 2021:01:20 20:48:04/23:47:00Z (Attachment/Operation Zip Lock - Doc based - Red Dawn)
SHA256:
01371fa05cb9655cead451fbcd5002105a22f5ba56d69a14c2dfd5f6339e78b3
0d14edfef37ad84ca2c67851dbec4ed2f2c5bee1e50afdc9f0e3e7a253b485e8
12499f3ab4a86ef07f3e35512eec9e0cca775d4908863187834e130ba2370845
1cd0d2aeadd9d8eb83bd1a08b3f4c7c8af47425837e8f3da57ee9e79f3642b4b
1fc8009811a2b02343fc0dbe659fe578a0f42454eb9ebd2b6f108f1f537304d6
221316fd4ecf32dcb06af77dae3f9fccf26a88829e77acf6d3f96a3225f12fa4
39dd0637ec1a0e409bde3f7d5564bc4b2fca354147f9c7ad32ae6304a95643d1
4483f0e59565160c5edb87f7eef7b2de70ac43d406bd63485778e07ef0d59f7f
51fd64693470a9ad150328ef0a2b5845ed94fe9a15b5c74577dd7731275dbb1f
56fd1a038ca3544d5ed57bd46884fc10539338fd3981f26aaf5e1aad10002b95
57b4115dd50b258da36a842c5e277f6bfb40144e3e37d73ba3dda4e2a063e2e6
5e934e888f338f5109382452f0426d23422308a72f1ea29804fe39bf06680d42
631aeb62d21a575e8ca4b680dad85ea7adaf5582a05046a7d7d2f3dbbf9ad356
66bbf866b922d161d54fd4fae2d2f449407523723c870b14dfb3ea0f916c8818
8b0237a5c474d5f1b1023f2ef86af7bb471dfa11f5c1a96df41ce76dc9cbf006
a2e337f860a9c3a1fe061c742838959408e1c559ebd6ca136fb9b6c883f5c586
aed16d598bfac0757f5a97e7a0df35bf36d4bfc35ffb199a8374cc71d6a774c7
b145199e3358a054ec1977f07a4be7a2644db93f46dbc0bc4fda594bc7f90f74
b5b02e6f73fe5942b8bc64a62c74fc988d2e0c931b1227becf463c33069ba041
c316997b40dd3840f3da94dbd543898beccccf19961252d73f72550b4bf3e198
ca7a197a4aa3ca00397dd2e74a494ca30e0c21b90d9489a3713a01ac80c72a12
d301b119d7e8f10a43809a30ac6c9c218d74b78bf84d84fa7c0bacbbc8ca3b7f
dcd040470964c4963ccb4169a795c1f7eb02f22ad21bdec128a0f12ffd37aa58
ef057bd5ad2a5de868373ed48432b29bf7e72ca25067d8c1e420d9b60e196967
http://yahyalisayam.com/sys-cache/tAsw/
http://casinos-hub.com/s/ZQhDyLF/
http://deoditas.com/n/FUEyoG/
http://mts2019-002-site9.gtempurl.com/wp-content/E/
https://ocean4gamers.com/wp-content/GAuYf/
http://academiaprogreso.com/cgi-bin/Z5/
https://newtop.one/responsives/z/
Epoch 2 Payloads by Document SHA256 - All Times UTC/UTC+3Z
Creation Time 2021:01:20 20:40:15/23:40:00Z (Attachment/URL - Doc based - Red Dawn)
SHA256:
019f04b6b435d65725a7fea600c318e96d64c945fbf8ad3ee2f67d05900a27cb
0852348c68997bc5f4ee1ad2fce794f15198b36f41818a23b69e787f4cece095
0f0061b80732fc11150a67c1807a75989ce897eb2be6e22d425c4b41f88f98ee
101b256c68bda370bc6e6d2bb174494911b42079e76fcc63b34f0900288c3f26
11e1780e215a952185315253632033b1e42e269f59252e80ccc002e7ed15c086
141fff422c09e0667d14fb353c2b716e5942f8e592bf7e4c8627c33cca4deac9
1599e10bc74eeb7b67c71bbfc12008d0f8bc8c3457297d017e2c633457a5800f
17130511b6b91858676f6df0392ecb7db5aa7d5782038832dfdb68cdfb6717e2
17420055c7c1b85137e8f5e78a7eab811ae1b4f00b33ce05590e19399286fe2f
1849ce13b6b8587273a6ba9558bd63b59ccef9a7c8b25c01c14253a34da481c6
1ade51b62019cdf1df087f2ebf35d2d5fe4aa1bc5a03d76324ff346bfe5d7953
1b2b0f6f229f819f49cefa1af565aa4e83bf8b1f9df047bebfa9143dbebbb349
1c781faa1f4f2e3a4757766943a18d7b1c16ce4e695382b723a36dc9a52d8331
1df953e34823f8351e1702bcda5b4b75887620f2ce403968f4cb0524e89bfa65
1fa18e851ad74226caf71eaca19ccba3ba2b1457521c4a4fbe6ba07fb3008333
22daf06e652ce12909ea87e481c5c12a9ce86142fd53aa1e375b79263dbc45a9
25de934bcde3cc43d82f74d2bda58507044de10d1fb36d7b1fe4ed52fa26ac52
2a4e442727def25a8ce8ddc73ffa52be640dd1f1016dbc26e3157f361936aa88
2b74e583a0148f1e5f2c91424947740e520cd67c66c78bc6a20c22fbc34b83d6
2d75bc655ee87200243a8c0f383323e49eb31a7b0cc6f86e4376c41f83e0f542
2f36085ea2e5a9e6a5d22b533c206be9bb1d3c71ee4c910ae165e54b053c0ec3
32167ecf841806dea1958fe7d8c1fb145323fd98c3412b55fce4e0680f3f8ae8
34f009842068cfd83b7b0048deb0698f8647a41889d562c9314a7b4665c073be
3602f8e737829acb355fceaf51908fe8a199a2ae44099cedd08d3cb298fc8b53
38dd4edef2de2088eb63ab88c4213512a1b0bc748d115d2ed16ac1c5c2cf27b7
3a0235b5137c1d8dffa67e97c6dbe13cfc7117e3c62dfee05d8897acdea83b5c
3c51fccc79c2f87f8d8d80b1aaadf991da9bbc425797a5c252e4bb779b3e55f7
3d27524fc5a80d20ae3567440ebdea86883b5cd1cf599ca8afc8ae80c41ae31b
3f5a613e83e83e91a8b9a8f676535284c8e0f817019b55845e157d8b436ac03a
4121d45c89baa331a26e0dd4c638c04a81fd89a98b09675d3e1cb3c0a57c80df
4142cfc2bb8a067a21c0439bef1d08e1742025b00b3cb1c9619ff7bf0a2b42d6
45c2215141817c9d7e320947f1f94ef7ec92d3351de8ac3798a7e306b34f5de5
462f5d61dfa9c9938d8d78f06e90df29e4037d7a20edbb20da7d9ed0d69a4b02
46512d0921fb5626d9080c7f3930e3b4ffb9cd15bf20c8554f150e7ff47b951e
465766cf4d4152c6b11a68b68646dfb8266ab7cdf4b9ce2660feab1aacd32294
4994c3de88be1e554fa1b922de43a5f18a5f007c949399d53aa6a8e9687659d9
4ba19977d7051012b6f22a72868e1c909438f6eca3e725dde0816c11f5d7f262
4cadad6fe9f001e7d45a39b6a54af137aa2cc08f465010ecb7539156ed88d384
4fbc5117af26fd60f03e2660f74b6b18cfb88d2badad4394939838a779bec2d7
50b410f2af280b1a288a0f94bae66b4db4278e307b1461a93a231a2ca715cb53
5194a406cd4f741d308341f531f690bf966b451f01de1fbfbb604dbefee7c8ef
51d0ab773047ebaac512a5d397e79534ac5b266afd4ee691d6356a8bd7fe4b11
51fae18ca6515a9154913bc82e245a72308b832eb47b5785a21beb0f0a34b07e
54385e84d22e522ecf660abd63e8cdc132b0ad766af8d7c589b13f7be5371c2d
57c0a7e0c8c758419617cbb0493789572ffd9bad491e5e98ecb0754de052efe3
58087e36eb939fe42f9ecafa00c3ba4002c238182b406a45db0ffa7ae6e83398
5a17dee61b79152ce451f560a17603b291bd0934b4c0bdb69a3328fca8b36771
5a43f6cf21f15f541f3c485ea237f724e3c72ea59d91e44092103cae63a01bf6
5eb0bd0ee37f979306d609872b652c8d2ab52e48f95b37ec05fad18504277dbe
5f73dcc09f5d4ac5219b105e1083dda4baca6637aaaaee7ffb27691684f4968e
64a17440d41fd8eae4685249c345b5022f4e690183200645ff1e6f7f804159be
6666bd131bccf0a6bf3973a274445780cd1216aa9260c08d10a079c9ea58cd44
66840e0ecc45de6d60dfd40a9a510bc1664f4121d4e66b498fa33e3b1cf2ae31
6696dcee2f90b0c3f0614d8197a15ce194e31f0940e923dd5f9bb95fb42fa479
69c319f6ceb4941cc2152d633b509323f22dc33994ebf516db8304e2c5409a62
734760f1587fe2caa03e721fc7f70c74e90517fae7f02f75ca4cf60cfa2c947c
75d4b326ca471055fba9d3e4dfbb994e191135130d15f7f1e75fa6a8346bf89d
7a20adc14eedee96591f3f10da2623860f3adfb5c70d6603bad7802045e11c81
7b84f2501e9b8aaa56422e3bbd5742f0e1ef38d318c28d689ed5662e85a65cfd
80f688c0b9fb7d3277bddc7d43c06d13ddb6a1658247870d0287de8c157e0bec
8529a3bea5066aa6c825c3e7f27e7c014eccc2f265ac844787e13aa77048fc38
885bec24ff3ff31176e787f7b53f03563bd32498a8dbe78cf0f8c7e933abe619
8ab4622f9baca8db727f2fbf8f473144938729d286d1a320633fff3fc0897ae7
8c51b7b434f7213aa019ae0600d85e225e98502f1971bda3990bbdd16e3b897c
8c9e3c8b6589995ae77125707441a518cd80dcf62a2c59e0d4b53a2bbef0576b
8d7efeeb6526c1ce01dd7d5a75a5f9c22d9ef5dec9e19d6504cc1d073cf8c864
9005833203499e17fc8dc75a6082bd9762dc6acd404ae5dc6b0fba27fa9e1c7a
90512c0b5b5ffe54f12e39016dd9e8673631e0eecee9a8c44b2f3f9a90cc9b18
920fac5b7032800366dc97b32e8ecde37c1432a99f3e2eac1d3d36ff62ad85f1
92479f2f51bca6692c4c3d53b3f9a49bf1d5aeab01a98e9a2feb0d6d68ef6343
943f25050a280f1b3fc1154ce8740d31f30935391a7f7e9cd1cb0152f46ff099
9567a3e4acbb781baa119cbbd1863def630fd858a58d6658e360d30614b82082
9675b2f426b45cf771be7405a1b50bb1f2625f5be481848e4df2fa7419fc36ac
96c0946b5c6a8d77fa253d70c944ac5e78a5a0cfc0e22ebbc27b44a8550cec6d
a1adbad4bcb1cff2e45b7b7e7be4838dbf2133df86b768c9a1d9fa056b5b5d39
a1da083793734c0f30c084d2576c41c2c1eddedfa5adcc5b7f86ebdd2765aa2c
a27a067570f7050895722c7148589fd30eb44e4d77e2dab8d884271e0235664a
a58be0e3ba5abd6441bef2a7efcdffa251f5f396685642160a2508363b75395f
aa07564ad9fe421b07c24a624f3fbf68f5f4080fd16a61bbbdccef53d89e138e
b0b540ad237698caeabe4f0eb6faa0869a39484393d922cd298e23b304562845
b5b3fb90ae6803eaf1c36f587b978d687b19cc72399a51128388be7d421599b5
b77758a7936af2b7c6b3df9fc45475ca411a9cfaae447bd97a2ab3b8d60aa160
ba3aa81154976cc9bdd719ecce4a925b513892f51cf40a1f511d77d1c180f1de
c01ace5e5093f9c57d7a89fecdcec19a4c90762c99e748b4956b17a8e8f272cc
c08b3f7c06d7b77801575fd05c9242aa9c5f8ad17788390c0f15fceead07002f
c4f94c6960792fe6e062b42c6c149482152a96588a9a5b9c3f7c4a35c974ac50
c817fecaa0572cdffb222f4e40d2d2f64fed46d86c042e8cfd9cc3b597489912
c81d0f1555b356115f9478fb3e1a082fe834f56fa4361077081cc7c399d5bdea
c84de615620cd1a69411f262b2f431ac07909b7705e43c1a97d80f5bfdc3ea33
cc9a98243c5e282cbde25cdda1b4510e22afc3a444e07d97c8c9ffef7ff45463
cfeb8617b6934ecd6b5a4bbdfa12bb62a323bedd9f43b8e11352618ecfa75b43
ddca7d6d22b741be7ae7ed5e884bf7bdf3e0a17ba7cc4093ca1744bdcece2fbc
e020a38883c31af6494ccd2106bfb598dff9865f94994ae3bc9a3e40d1aea2bd
e4cb0eb0b65af11f26a5b0a66600e1ea942175dbac4014967d689880158e2a0b
edf31b7e2675b612cb3930814615f228a9fff1dc8613ed5e47d9e98418ee99ff
efefc84243ccc08a0c004247847a2e7c55dc7559eaf302919c40085ff83f5c4c
f19f01987b42d9be03048f6897f0ae6dd4265c93cf2b1e055b28e5354113a2d2
f1b16a95d60e942f2ca4724096a5a078f74d16d045da8ebf4cbd11d1fcb25322
f582def432e13ece8b95e4ef399332f18cc093c85db59f4f4f0ce822447b465a
fe4636a4066b3525d7bc3a58f2a3ac8c430e3bb88f0e975869c95e7cdc91aa5c
fef516c40db60794e220e323bd96e2a26f5808d97ac911e2bd4afc4b0cd756bc
http://trendmoversdubai.com/cgi-bin/B73/
http://dryaquelingrdo.com/wp-content/SI/
http://bardiastore.com/wp-admin/A1283/
http://oxycode.net/wp-admin/x/
http://fabulousstylz.net/248152296/TpI/
http://abdo-alyemeni.com/wp-admin/seG6/
http://giteslacolombiere.com/wp-admin/FV/
Epoch 3 Payloads by Document SHA256 - All Times UTC/UTC+3Z
Creation Time 2021:01:21 07:44:00 (Attachment only - Doc based - MSWord DE)
SHA256:
2e35f527f530f946ff80f1e983383e4efb0f6ac4db9ee86afd62ab2c4c8d0bc3
30d2821cdf2bf71b2cbebeeea62050b671fe2d2053c676ca0c179ac76ea0897a
3d46b079f5238c90674ec0a6cb9f7db058654d925a84b221953a1c4df66be2fc
3ec6cd2e078f8bc684bf9291c9c3a94121c8dafbde12613fcd4d31a79b20896c
40b1f6d11c783c7b956cf5c25c4e0ec814cacf3b6bf274629ccb3dda1eea4e38
6104a677cd91068a59589c7b7a22b124ad53c9a32d59fac2f5691b54c5edf76b
67682838e0745ae535a83f9b7cf159acd72b214b3f75504be7f039f1497cf3a5
69078beff40f7e13c4f71385d4039a64a3b3a485471a9d66964598187a18f4ee
6f661eac8a44521833b364bd90572b21e7f1f98f0e3dce76f39109344cd52781
8c437fe63f766f9e3fc81515a78f55caf53d1701ba1f3b1191978a51dcfc659d
8c585397f372deb0c609b0acf6fe42452987214ad519df1b254c5c666df4afaa
90c294bc4b8267cdc9bc44d0fed58ea36be306dbd259c2d17fd419cebb63b988
9d3c537b888df0dbb49acc5106f05dca2abe82347b16d881cf27cebfbe4a24aa
a85ad93c17e5f0ce36ec448853a63cb83ee0ee976603ac159ce5e96cd8e67e13
aaf1f1f2174b0f98e67a51c9cde1021a6a7b39bef0558e6bfa17ac3b6cc1a788
ba9c99e45d906de7f03eea1788b4b034cda29476bb44e4cb24aacb37cdfd75c7
bbbdfca7dbe699780b0c92e88758f189c2aba0619c985872f0b74fb9dd332db4
c0e87e1eaacac3b758604d6729c480f75d14530a617ddb22c5fac6bbd456022d
c643452b495218e12d0d7a502b386741511c531aef89de79febe1b9265d079d5
d7336746eecdc0562c91122e680344012a3759caebf0995117083bf712d0e75d
ef287a1865d74b80b3e9129f49c81b8d975b05d1d2c872f16cada5757a8ff71b
f219b5744489e2e5b9255c15976bf1c5971d1581f29be8524ede0536ca95b982
f6817a1e79d2b8d13c6aa3308b265f8c18e6c331e04273898957c38acefab001
http://deshbangla71news.com/wp-content/5M/
https://bookkeepingdoctor.co.uk/s/1EU/
http://www.peritidiparte.org/administrator/XSboAD33/
https://lubdeco.com/rocketlike/1IqoSgDG/
https://vallerconstrutora.com.br/wp-content/uploads/vDIi0eYzz/
http://www.bikemyday.se/wp-includes/FdM/
Creation Time 2021:01:21 07:19:00 (Attachment only - Doc based - iOS Enable Editing)
SHA256:
0af5e4550ed0d07e9620819827203ca4a29afc43478e9074bdaa38e589a376f7
0b06de02de18d7db163a215d2be87483e43d545698e9e200b311d06571e97ad0
134736b98536f6f81da8506f38c313a05012896efe558942fa20863e21d88512
1a0f24545657f749035796c8407b580d9172fa60a6faea7c22faef8069d6aee2
1b13bccb232b6912206990f6e6d9edefed8c700881036157d63bdec10c185072
1bab1464c3e8f00b40b4b57b0ea79569d451f1e22c42bd630426d02fbda163bb
1e3065dffd5f002516433e4b581bcdc393b1a6c7a55adb4bc342909d555daec9
21a8e60bc2a6c47e608d46360cefda71e3a573dd1153a72bf06f7b2f9e464db9
225afa90ab5bba24458f97714b131bf842e5b3c8b094f35c1903b07ca4247651
28b7f1e4319f06e850021dcdb710af17c990eb18d356d295f28c7a49962a4194
2c63fff7b74ac7cfe1cfce171597a813816d90303db17c4e35d412bd11b10d12
2f2d38359888c33e6281957c9c695658ff2a21ccbd4deb1a64c4b45e948403c3
3ad299664e07b6aa08b944e6fb9f251c63def0fb05c017fc2136752c08572c8e
41b919b6cdbbddf1a3736c6f7a778f34532049ed44d623021a7fe3a62bb27b5d
41f0460f8a8e8219b3c9ac1deea29dff53d8b8f47ef9482a22760a9f37021e19
434b04fbceafd7baec4fc16d5322b9178337ecef64e8faa1c7d7a7eb2c813e39
464e228e72bfc9069edea2955b05063322b9516c46c9ad791f04cbac403c23a6
5698dc134f384956b2b7a990a7ff5496f80f42544156ef63e8cff61d7ceb3672
5b03d5fd4cb9b6b892b0aa131b8ffa0867b2113ab898fc5a6a47ffc876f884dd
5f63e101eb1c98af52149bedd0ffab1054e633dd0ffd6abefb0ad182c039d08c
6275898c718a79e422a08d5da48d560cf39d6e32b91646872420f9f89f5575d9
662906ec7c3d0f4ceb68de2216b2a03287b325f5c8d83724425aede6686cb8b1
706505b21fa17afbce6600e7c3310f017d6638e39664afc2262caad5ea251dcf
71263a5644afd276319429a472a59a7c404c1c3b479b7271612ed313a7ae56eb
74343a001171626962a999b1ebc2459791e6201f8575b041385aca073d46e187
78ef9bebe5b116baba76e5e3c00e335f910aae60c4ba7c5e44accbdfd7d97296
7997dc297f9c7f2d47c512632eb6df6b7e4cbb7774fae3dce66b7308d735ddbb
7a64eb019fea594521934f69102ce58f7b624a29138c0c86a1ca59f7f7f439d2
7f48d8712e04dfae0411d4563e6b817a9429ca151c71169b54d1a55fc49d289c
80d98ff256d38ba20e2d70f04c287d7adf58d069253ed30d68bbf1329e1e173e
81eab559ab78c380c94f071e82a5ebfb858c52a64767305ab185151136f356af
81f2ba7fd695aeccb81089e2eef8feb88e6dd460a95bdffb4c43ec226e4ffbdc
825941622149533a9bc0cfbcc6ddd1f4ac0e4277eacd318026b69d3d8a07a1cd
896881860d73c4e57f15cb7a022eece87ffcfea2d3b3461fcb50ad2ac26fdcbe
8ef02c1c0bc8471a6a38e18c5bf500758c3ef4e9620d2a17ba74368d6d4a9663
8fe63ab9654b72a4c55b3f06dcdd730da8682db8344ad0573511f784ca74af39
917ed80030b193ca95cc7a2218becdbbf9e158e94af47022d03d0877c7274327
935f0ece155c156660b1d165cb311a37af8740d7107fa9b9d2d61da00f407237
941d2dc007e614f0830e1584c83077f2b6fe394d0d92e4eb47fdb29813646529
a146c432463710e2a1d26e89beb818797c3f530e9e138e13f43ae94c5d94a47e
a37e48736b39e8b39dcaa0384df8eb2864f9f9801119609b200f5022a3521f5b
a62a6abf3a03ed16093f50945dd98fa4d93fb8d9c5a63194ac552eff23d3f806
af03373bd3a06747f1486f247881d21782ec84cf7a5125c650c8f089edf280ef
b1bfffa19f20994eb06b7be3216bd7f9b0ed7df2a7ff305b037df356b0aeea3c
b28b852286ecaa470a365c799492b65cde4ea7cf0fdd47964a3ab67b3d99d29d
b58b67e34d79622087f8d980c1e2dcbaf19fbbad264a236e2ec3af5ccc351a1d
b89ea255c1499ba1d5f75219d7fff2fdd00ce9ab61ce36ba4498f59461c1c1bd
c801cfb380a7740a1fe7a2601a40f3a4fe78814ff4a27ac14b5d5fc22951c398
c9e142202bfdefe0dc3901dd9133e4723a5109914aedda93e4b1f01db20c318c
c9f449c178b91a5423d5bb9343b220293fd18eb4f10bc3e024349e8c5aeec531
d12582ce53e9e687237bf288e5ac6085e9d4059c0103b82bc6993cca5122706d
d14751bd579250a629a94a873857d557724a26dee8af6acb53f466402d98a0ec
d2eaa9bed0a34fb09e3e100269d6adc98f380e7aae68de4978926ddfaeb7177a
d4060d6c007d54ba0b2dc8ec8ea755ecb9adde6e6606ef0e90b347a1755a95c9
d4654bc9163aba681c6f8b4a4038e8aa312369dc3b027cd50dd104077029a233
dacb9722a67ae684a2d4df3ed97d79892c842e0bb9648bc012fefa64613287cd
ef5d46380da37e1c4b4c2666d3252391e3c67cb04d1cf3a5163516a840635768
ef5dfc99729e1117bf153c9f3eb19cfd49ff042ccec9942e44ba067d43fc78b7
f188af4cc381f08181f38fcef77fccad9de49698b8f1bdf42e0a5719bad82101
f78841380bd3349588f17fb4efe705fe4ff5d93e035f45cbc660fa167486618f
http://amojo.org/p/Mx/
https://topflighttrading.org/wp-includes/WbDnukw/
http://www.exerzitien.jetzt/nfs-heat-n0ght/MsQfotaKfq/
http://www.yugan.cool/v/vSFJCCG9oV/
http://ook7.com/b/pbd1/
http://www.caglayansrc.com/content/tPGhhnTHa/
https://senturketicaret.com/wp-admin/KAFiShfSh/
Creation Time 2021:01:20 23:50:00/02:50:00Z (Attachment/Operation Zip Lock - Doc based - Microsoft Office JP)
SHA256:
01f788b5f7bb3bbad3ce0a03b00cf8a2f0f52d772b98747d8aa4d9651da96802
0221652be4ffefd65aa23ce9d452c4597283a51954657958ee9c6bd842edf28b
06e1ea9e70155d62272aced093ee2e86c8aed2eef991b939bcd2425099715d6b
070ec276cbd81dc85e351d4c8d20a5ac5584cb294455df59ecc70061df8b83bf
0df1c21cca1994d79eeb014e76fdc83811cbe9895596db8d18872299fffbd9e6
153308b87fb8e24ae2092592382578744ac78a7b9ffb8dc14733e8ddc5d681b8
155f1f398a98882fe53838090b9ceab79d25d500a296f3705e1ee6d751f8233c
1c765ce586c08b7b2da1292d8237338d85549aefb35560f70d4eac26385251eb
1d5f5373532659a5361731578ae5b4a16fa9559a7f5ccde01d97f3cb992c1264
226a31dfb999386b11034c6d0e2624c950a049bcd0118d1dad7e4b88868daf68
254c650c17112b2e21abfebe397308e23fb6e75ff4618a7ba787d33a542efd9e
27dcce2620a7e2feda1b81c316fd6174c0cfbb8c222816bfe02ae0c090843909
288101f4ce6b3fa92d96b3b649c29ca68d1bb4779cb94507eca45517fc45f253
2d316065dc5c2921494e0683006ccffa2d71d670df05abdffbaded9cf5f34dce
37b42fba700f3848c57dfddd793c1cd069cd0677db573dfa31e31d907138527f
37b6b75459a5bd8fac35859a743678b573544dab4efc68365462272a10b6a3e0
3b5bace71c0eb73e46b8dcd34fde14bd558469d86f29a0c9c11cac97754ea42f
3d0f6d79f1a745bdb2b3b15bc177a764cabd05e437932d1670804e8dab6b0717
41d77a556f7aa55c918d2cd1faabdc88b3531d06ee91927a89690ea468fc6651
5376daf10aa7b453a39509112f587f1cacf15046fc4e8c8608512d30c63e5b5c
5f338e4a44cd65f14ba106cbfbcc34915c98b0bb5be2f6cf25d4ca1890902d2f
624ce1e4f0484a475e0de892dd9c05099a611c68d96b4ec8d8c4b19d317b447b
63889be761623f8452fbf9b80a3039e1e3c6ae5fa183a567630a41f9d6fa3bec
63c22b2dae6959bb93457cc3c7b7c49d60935de2882ef5bf18701815ac58c27d
6c67f327340649ddc6fc4595802dd1d76e0e72a7674b2fbcf1605f41e3172a25
70c6542380105f986b6fbe8db06240d10784ae0dec933b8c96c2d4345bd3332f
720cdc8ce45e358827737ba652d843ddaa309f149fc55412424fa7c227687d84
77e12c6b12db756a2433500373c71cc72517e9aadbff8ee4acafe0700799bd27
7c830942161821207b4250db9bd850f821c0f4c649f30b2c86cd9cc1620024b3
802a3e51440f59664a59f8d2eeabf0e22eabba16b37588b852194afee647d893
8a8b0db6174bb381555b705408741c10c6673661a1cac67b6013a3b53d858175
925b2a07ad4954cced1982221d6066371f1eccff393778322606cf4da2e67cc7
94529038458de6a51b9778a21b4ec80e2976d46eb9875a779cd322de468f3784
9acdc53bd80e3f0e66ec216a360a9a84b6ee857d6150bcfa3a8b32ce47889a42
a00f1ae9cdb86a862e6b5e31a9724996debf25cbb79d959b18c2b7e99e7f538a
a825fb1bb5b131aa31a2b39422a630bc203144ae2013629db9aee3237e72a675
acf2fedc39b894109ec8632295d882f67232e8ebec9f039cd0ebc9ba6ef9d694
b3bf0aeadf5d0b5b1c4005b38fb94ec07bc8304c1db76b96ac7c557b3d3bd150
b5ebb1e24ed5627bda15d9b12be3a48b2eb0782adf1abfbf37f409b8cada11b2
b6ca26bea7d16858d73e4bdd15be6853132b15d689acf10cc56b3e7af901898d
ba9a95912003dde054b0ce0083eb3d70458b137c42f000c8c15f286b6399696e
bc0a70ef61527afd12a3231b6013399e4f85f61a438473a5c21b38eaa91c1a4d
c33e6c2f2e76179450b1b7dc2d7103f55545ec3222e2d5478e45274c6ed484c4
c4b193e8409f40d5b266eaee5bcf3527f7b8285508db2fc2cb4fdf35ac721ccb
c87e8a8570312a7177112ee5e498343640207f7426e389f530f07c2a881f3f0b
cdc529a15f3b60d0337d6e509d4d10bf0f209ab336b615afed44d5a14e810a11
dd74817150db2cf6293c896dedc81736eaa7306ebda9f057540946bacb213a6e
dfee4c079343a53a64ab1de25ab1619734de94350c5685822a2d5cefbc25e021
e17df6f325bb2324c8b567200cd06d09e5a1dde458da8465fe59b8c5f2e548f5
e752958330a230d8d4d0ea7a0c6f779fd2ac3a93247b2403af7eb9857b8b0be4
http://gethumvee.com/improvisate/HVTtdmsZ/
http://arch.nqu.edu.tw/wordpress/w7F/
http://hindumedia.in/microsporous/P7m/
http://pageshare.net/sales/tzV/
http://bgmtechnologies.com/4131325866/sg/
http://popperandshow.com/248152296/ccXqKYPqQ/
Creation Time 2021:01:20 23:40:33/02:40:00Z (Attachment/Operation Zip Lock - Doc based - Red Dawn)
SHA256:
0b5a4e3fe03c6d0e941a31efc0cf48c347032dcaf71b46c33fc5c69165f40101
0bf5d964aab27c296140eea991dc2930edfc2413ba2dd9f234c8f013582cbea5
0d792a683c8b846f5c861021cd747f350ca05e0347636c846030fd32059264d6
0eea618cc82378132a9c3b442c9ef1abe28161d76c105bb0a70032cb9f6aa234
11bbce75a57404dd69e8757724c49bc93aafbb68168ef9c45a80e4fa9426ed20
1634c3e101b529b09e48ae97fe5890304ad26522b72a1d18d740e34de0f9236d
173ab076156893e04b600ad7717cf82b92c426e43ef21efbab61f7dc672ff99c
17964f3ea8a48faf47c8b9b8b74c0cbdbfeb1a93a6f44ea0fae2f17ce2387f56
21b866f28bd630880920b98b2c4d3e3308e8d9e2a3c9a06f2509c6f037b65f4a
2234119eb693616638348e5227cd7f2749dc861206049951f51a6dcaaa8e81be
228c96ee31273a1f3656655cb2ed0a8dd2d41be771c378e7527eac902482d893
2503046433a325a10ab20bd59e9a4efcf1b12b82d778c32d847edd42ad51efd8
26c099532d94a77e26f83f5531204787aa910da4368e39ffed47fa7302dc29b1
2f5c32d4c3ac7a74ba64d628accfbdff8199d13afd0c28a9f73e586a8a6d3f19
339afdb81c2bc095fea4514a348ba4eeea95bf936abb03f8cbb63376bcb94791
36a43991d2172741277048f9f5d34381153295c83b4067220108c4a258b06cc0
396897e88e4d4b7263d3be2fe1a69a6920127a12de4d92d38f16bc0ea8c942a1
397d1920702dd054071f9b2aafcb06751e6ae2153a83de4d9bcdd68db3f9ec7e
3d0ac48d0d054760fc6e63d8bfd8fb0bbb38092ecb36b62044b78929cbcface2
3eb9e176a4f055c0df53d13c27f11ebc9563171e9993ffe8fd7cad685e5504f5
402e298e853baaa3933de1b42c78d70504edafb4ca25dd8d6cd8b9683da6cd2d
44bd3c8be142f523fcaa91f034431c593819e0e9384679bfbe1a6f843a6c1a60
45c9a1eb8278ac3abb6a031de3d4f5bd5e0d990fc2d49375cba8f3bddf6435b8
477535eb02d4958493d023461957325e6dd12a8c4f4305342e6564af7d3b9b4f
4cd44cdbff23dcd7616ffb0b668e46216e45dc7d0eda11c48f7b8a146adaa996
54d6dff4339f776f5b6bad0fc8a168928b7336ce638dd1576d61d1dffbc86474
55c2cb88518688af417b377e71590d01044d2acfe570d2e0d3ec56632c0e24a0
582bc06c8f0edc48a05bb272eb4aff78f511c3e179ac97bab1e6331306e26e69
595d25e6d68a830df2d8e93737429f4fad819c3f906a6a1824ed5f9da09607ce
59a4555653af5f498b93c9ee4b1debd859669b230290dad030ee179f9e77746c
5ca0613874c16033d0ec39679423d9d157dee9d9e0bd4be7f6941ee9f919c2a6
65dc2002fb0f91d9be4feb1bcbfeec6697b22189d2d91cbd7558835997d7c2b1
69dd5fb75dc2610d98248e0c38d9fc339e48d0691aad4cef4fbb7684092da986
6d0d0a45fc31ed64566835adae108fa95913191f93daa9821b51e5cd6f5881de
6e34d369a82d743a15a4f65cdf3c9e52baa3e9738e10f648a9079d7263b7cd5f
6f121a9b20b7853f629ee11fc5da2a482ca049fc77ba017d6ba544dc265108b4
71498601ff85399ad3676388fa572d327e5b1c48a609b9e83d2d6b413d13fb21
73158cb5e2de266e93c79c9095d763cc352f7069e841addef99216aa22a148a8
743b0489a94f04569f1dd9ea1c62d1d5d6ce22b642369e87f974b3635990edb8
749dcc8969bfc2bb81e42b172a8b147784f164d36bbc9092584fe7f6b8f0ad6a
7a5736b415f46ff15a4dd28f0bf5b4bd599232459a61730fd76c991929d2df1e
7c9b081ddbfa4fd10614034d47af6bef513730323cf1706a948b6d9a0e15e9d3
7ceb64138d0aed2bd2d577f86deaa4ac356aca9970cb30f3d63e0e6a71a3bc91
7dfa4920e28f7fb29741d69a81451679a71d986b167f9236227390b0cdd2b5ad
8aab700f77b2535f70f37e401c9895070b235d4cd42ef9a3b7ce80c66f1f9df9
8bcf096341e3fafd83472907abcfde3d88952d8a0d5f87e00ec0dfeafadb4ffb
8be7196a87ea469d76b41a2d4047a6d0bc089bad47e8488d065a5ad0a78e93e0
8c92b3a13f8b1ca9a86662a862e16609a8fac26b945e5edc9ecbf3e95f617fa6
8d580f6dc4db54cdb9c6816494ee1435f832d2ce7273844c492a60110692fdd5
903a62541cf48024d80e35f88118eb69c094a036d189f44a4e3f63bb74c30fa8
90d77719d08d3ad70381ec1e2e7f0cd71ea4c97e6db43cbdc89d2e70ae5a0495
93d9b9ef3a764961ccdc9c1d2b547146936be2836dafc32b6b8b933379fa6ff4
9b9fc831d6ff86208f1d89415441ce857893b263e8e81a0eb32dc48cac7df18e
9d015227e01c755ff0ab2461f2545a868347142db7c800b1c2f3be6058ca7476
9d4526097c1ee1f09a4686716b6004b29507650b094fd964d60a8c74c154f814
9e2508b307de65723b5b85ef3be57580986adf811282f20647f34cff0d57e6b6
a206fc0992fb50ce750f2c5158639df993cfcfe914cf54b0068874cc167a00f3
a369f5566b8d0e89c2dea529ca8f61a1d364f058565ae4f0ef4e2d7220ef47fd
a399368d46277cd5ee3d27f8c3e8af36a446f0f27877bea4730eb242ad4e236e
a6e39f77401a5a7542e70c81ea61ad215ef32902c003895a8c4688dbbb788e01
a74f258d610a8eb129daa86330adea4287acfaa282513cedcc4ead68110e873f
ab31abf2f9189ccd5f942bc1c1c574581a5194f1d1c443b685be54b43fcf5fcc
abc83c82a8f40cc71284039e4dcef87dcd5b119a82e25a7c33c05aa632d3e63d
ad0b6dd421685f909f16be33bf5816f2ebe17522645afc8e0a4552137155a433
ae9c3309618d3e90593705b88cae07e77e1fef98c2c7e52b1d6aaa99adc5a8f2
aed21df8594d6189cd7cba747b4b09e4ff7a5acc14db197fdff7f4be64723504
aff01b9b3ef4f05717dc522b57d09e2ba5c263bdef45d02b06f7454b7cf5f580
b2de95f9cba002fd980b4edb6ca033c5c200f4f1cea9d7a7315cfa4801e514e0
b5506683cb1e1d55e47e35fbdbeb8760bb3ca0f73719c26ed2cbbab0cedcc873
b6dd4c6240e649cd7bdc5c0cfdf9bfccb77cecaebfbe8f8f94ce158c3e8c1e2b
b806e0a8b6db012fe95669ee9aa7257ecd92286bc461a4a97b343ae1e3d46b09
bdc24af2bece5e111721e5863451be2cd91bd4c418ec654aa4b5bfbbc7cd0012
bf2ba280c87637a042f03203f1e286a5e7ab2421b9977c97fbc7c63e9f081917
c6ecd16d5625c4d2c4a76e38386b35c25833cd1501f12a0e384ca2880fa5dd31
c887c92f3a9860134acceafb0b30e0b9186c21499eece549958dc14bc4b8ada6
ce3fb07ff799753b81a24cd7128a000edd1c5f20e62d6c51f62500680659ff6f
cee84c7d8a3e80a93cc950b4b7e6d38c7fb20b6fa961745b505b14594ff893a9
d17647b8781a30c19a7018292f2270312b78c8d4a71f939a81d76057508472dd
d8380eb41d8a88b493035b22488f78e0ce891121ac954ee3993fa83f0cc86757
dc2484f36eb1e42d80b73178c8fa8e2a04b43c3aa20610d72f6985473ae455f2
df4557c199a3a85466d9b3957b9784a91945cfa72dbf0d9b93498d8deda59b99
e0b6b52aed804d6e8c0bf1b5385151b5ce683342f11e2c5346a7e76cf66b61c0
e4367e25641d14d72513444bdf356bed3afae2627987392a3f0c911a502e56b0
e7e446a291cff824fa8b33d5902fe15a5a68388438c99d65593429611354059e
e7e63d0f315c142b17c8dc7c000ced73a6c85f9e3dcbea7e57a8d3c43d57b5f4
e9f14eed2a55488aa606e538b81e095a45f1f9ad203a778d1c1161884b2516d7
ed7c9be895128fa9f7df701cc90e46000a3a731247d3c85b74a9383512df79d3
f0cdfe8360aabb3a67dc793229564bda06d0e551a652b4293e598b725a6ed173
f3526e4ecf20be32573b9abb752ca2bb1f7d5d4b0e84a66ee06fa387193821bd
f46d48e4d16c808d66222aa8aa5a80fd9e256e4cb5318422c2380291cd4fc1b6
f4e29eda3caaafeae6d1a3a5d0be1aa3d4e023ff9547ad0676a278b1c1ae8c85
f992e81daf8901402de20ced8f8625d868cc4fdbb5b8e6ef6257c358a98afa7c
fd899674a12cacc2530a3908c104fba671523317b2f551ad6dc4b1137ca5a79a
fe370014a10684e3777bf31f22eb0ef6f119876dd1cf034e5016b7cde382e240
feabea18b0a534e69bbfeeb89d77289c4439745343a79c2301abb6ddd4188f35
ff411679d332cc200a80a0cc3d8690853e797890ef26136bcae90a6b574ccc38
http://qingniatouzi.com/wp-includes/Z4TFME0/
http://chenqiaorong007.com/wp-content/inh1Q4eFMT/
http://bestcartdeal.com/wp-content/U12BbGPx2v/
https://hredoybangladesh.com/3948708181/l7/
https://washcolsc.com/wp-admin/gRIWZ/
https://aqnym.top/wp-login/9ZvtYaLyhg/
C2’s Per Epoch
Epoch 1 C2s
181.10.46.92:80
2.58.16.88:8080
206.189.232.2:8080
178.250.54.208:8080
167.71.148.58:443
202.134.4.210:7080
187.162.248.237:80
78.206.229.130:80
85.214.26.7:8080
5.196.35.138:7080
1.226.84.243:8080
110.39.162.2:443
185.183.16.47:80
152.231.89.226:80
138.97.60.141:7080
94.176.234.118:443
46.101.58.37:8080
93.146.143.191:80
70.32.84.74:8080
137.74.106.111:7080
80.15.100.37:80
68.183.190.199:8080
154.127.113.242:80
70.32.115.157:8080
12.163.208.58:80
31.27.59.105:80
110.39.160.38:443
68.183.170.114:8080
87.106.46.107:8080
105.209.235.113:8080
185.94.252.27:443
209.236.123.42:8080
60.93.23.51:80
186.177.174.163:80
177.85.167.10:80
111.67.12.221:8080
191.241.233.198:80
149.202.72.142:7080
12.162.84.2:8080
217.13.106.14:8080
197.232.36.108:80
192.232.229.53:4143
143.0.85.206:7080
177.23.7.151:80
213.52.74.198:80
51.255.165.160:8080
181.30.61.163:443
93.149.120.214:80
212.71.237.140:8080
51.15.7.145:80
190.247.139.101:80
188.135.15.49:80
155.186.9.160:80
91.233.197.70:80
95.76.153.115:80
46.43.2.95:8080
152.169.22.67:80
138.197.99.250:8080
104.131.41.185:8080
211.215.18.93:8080
81.215.230.173:443
152.170.79.100:80
190.114.254.163:8080
190.251.216.100:80
201.241.127.190:80
82.208.146.142:7080
172.245.248.239:8080
190.64.88.186:443
192.175.111.212:7080
50.28.51.143:8080
81.17.93.134:80
202.79.24.136:443
190.24.243.186:80
190.162.232.138:80
62.84.75.50:80
190.210.246.253:80
190.45.24.210:80
172.104.169.32:8080
82.48.39.246:80
188.225.32.231:7080
45.16.226.117:443
178.211.45.66:8080
138.97.60.140:8080
122.201.23.45:443
170.81.48.2:80
81.214.253.80:443
80.249.176.206:80
83.169.21.32:7080
46.105.114.137:8080
83.144.109.70:80
191.223.36.170:80
200.75.39.254:80
201.185.69.28:443
Epoch 1 - Spam C2s
165.22.93.5:8080
128.199.220.70:8080
54.38.143.246:7080
5.56.132.177:8080
54.36.185.63:80
Epoch 1 - Stealer C2s
37.187.195.209:443
167.71.4.0:8080
165.22.246.219:8080
45.55.82.2:8080
88.217.172.165:8080
162.144.212.120:8080
Current Epoch 1 RSA Public Key
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6
uS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz
6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB
Epoch 2 C2s
12.175.220.98:80
162.241.204.233:8080
50.116.111.59:8080
172.86.188.251:8080
139.99.158.11:443
66.57.108.14:443
75.177.207.146:80
194.190.67.75:80
50.245.107.73:443
173.70.61.180:80
85.105.205.77:8080
104.131.11.150:443
62.75.141.82:80
70.92.118.112:80
194.4.58.192:7080
120.150.60.189:80
24.231.88.85:80
78.24.219.147:8080
110.142.236.207:80
119.59.116.21:8080
144.217.7.207:7080
95.213.236.64:8080
46.105.131.79:8080
176.111.60.55:8080
174.118.202.24:443
94.23.237.171:443
138.68.87.218:443
110.145.101.66:443
134.209.144.106:443
74.208.45.104:8080
24.178.90.49:80
172.125.40.123:80
157.245.99.39:8080
118.83.154.64:443
202.134.4.211:8080
121.124.124.40:7080
172.104.97.173:8080
110.145.11.73:80
172.105.13.66:443
168.235.67.138:7080
78.188.225.105:80
59.21.235.119:80
185.94.252.104:443
24.179.13.119:80
49.205.182.134:80
51.89.36.180:443
115.21.224.117:80
202.134.4.216:8080
190.251.200.206:80
78.189.148.42:80
220.245.198.194:80
85.105.111.166:80
5.39.91.110:7080
203.153.216.189:7080
93.146.48.84:80
181.165.68.127:80
70.183.211.3:80
47.144.21.37:80
167.114.153.111:8080
75.109.111.18:80
24.69.65.8:8080
188.165.214.98:8080
187.161.206.24:80
74.58.215.226:80
74.128.121.17:80
24.164.79.147:8080
139.59.60.244:8080
136.244.110.184:8080
2.58.16.89:8080
79.137.83.50:443
139.162.60.124:8080
89.216.122.92:80
188.219.31.12:80
190.103.228.24:80
109.74.5.95:8080
87.106.139.101:8080
78.182.254.231:80
74.40.205.197:443
89.106.251.163:80
69.49.88.46:80
62.171.142.179:8080
217.20.166.178:7080
161.0.153.60:80
37.187.72.193:8080
190.240.194.77:443
5.2.212.254:80
200.116.145.225:443
98.109.133.80:80
75.113.193.72:80
115.94.207.99:443
109.116.245.80:80
123.176.25.234:80
120.150.218.241:443
50.91.114.38:80
180.222.161.85:80
186.74.215.34:80
95.9.5.93:80
64.207.182.168:8080
197.211.245.21:80
61.19.246.238:443
37.139.21.175:8080
181.171.209.241:443
185.201.9.197:8080
71.72.196.159:80
41.185.28.84:8080
Epoch 2 - Spam C2s
165.227.170.254:7080
195.181.215.65:8080
167.114.122.37:80
137.74.119.116:8080
51.38.237.230:8080
219.94.242.134:8080
217.160.19.232:8080
95.215.46.191:8080
Epoch 2 - Stealer C2s
167.99.105.11:8080
51.255.40.241:443
78.47.87.196:8080
159.65.222.75:8080
195.14.0.12:8080
87.106.225.180:8080
198.144.158.120:443
151.236.60.57:8080
Current Epoch 2 RSA Public Key
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS
Q0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS
fkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB
Epoch 3 C2s
132.248.38.158:80
203.157.152.9:7080
157.245.145.87:443
110.37.224.243:80
70.32.89.105:8080
185.142.236.163:443
192.241.220.183:8080
91.83.93.103:443
54.38.143.245:8080
192.210.217.94:8080
37.205.9.252:7080
78.90.78.210:80
182.73.7.59:8080
163.53.204.180:443
91.75.75.46:80
172.104.46.84:8080
161.49.84.2:80
27.78.27.110:443
203.160.167.243:80
109.99.146.210:8080
120.51.34.254:80
203.56.191.129:8080
183.91.3.63:80
37.46.129.215:8080
188.226.165.170:8080
116.202.10.123:8080
223.17.215.76:80
198.20.228.9:8080
185.208.226.142:8080
68.133.75.203:8080
192.163.221.191:8080
46.105.131.68:8080
8.4.9.137:8080
2.82.75.215:80
178.62.254.156:8080
110.172.180.180:8080
175.103.38.146:80
201.212.61.66:80
190.19.169.69:443
143.95.101.72:8080
91.93.3.85:8080
139.59.12.63:8080
46.32.229.152:8080
195.159.28.244:8080
58.27.215.3:8080
202.29.237.113:8080
5.79.70.250:8080
103.93.220.182:80
75.127.14.170:8080
201.193.160.196:80
139.5.101.203:80
186.96.170.61:80
49.206.16.156:80
178.254.36.182:8080
157.7.164.178:8081
172.96.190.154:8080
172.193.14.201:80
203.153.216.178:7080
2.58.16.86:8080
186.146.229.172:80
117.2.139.117:443
113.161.176.235:80
190.85.46.52:7080
180.148.4.130:8080
50.116.78.109:8080
152.32.75.74:443
162.144.145.58:8080
74.208.173.91:8080
122.116.104.238:8443
178.33.167.120:8080
103.80.51.61:8080
65.32.168.171:80
190.18.184.113:80
24.230.124.78:80
103.229.73.17:8080
179.233.3.89:80
88.58.209.2:80
82.78.179.117:443
115.79.195.246:80
190.107.118.125:80
188.166.220.180:7080
79.133.6.236:8080
139.59.61.215:443
195.201.56.70:8080
201.163.74.204:80
Epoch 3 - Spam C2s
162.214.68.171:8080
159.65.140.182:80
118.163.97.19:8080
37.48.84.223:8080
82.118.225.196:7080
Epoch 3 - Stealer C2s
45.230.228.26:443
82.145.43.153:8080
195.159.28.229:7080
104.236.52.89:8080
Current Epoch 3 RSA Public Key
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAM/TXLLvX91I6dVMYe+T1PPO6mpcg7OJ
cMl9o/g4nUhZOp8fAAmQl8XMXeGvDhZXTyX1AXf401iPFui0RB6glhl/7/djvi7j
l32lAhyBANpKGty8xf3J5kGwwClnG/CXHQIDAQAB
Credits and Notes Section
WARNING - Some links may have been taken down shortly after I reported them to URLHaus.abuse.ch
because they rock and report everything to ISPs as it is confirmed to be malware. Additionally,
this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
https://pastebin.com/u/jroosen
NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
I am providing them for your benefit in case you want to parse them to be sure.
What is Epoch 1, Epoch 2 and Epoch 3?
(Updated 10/25/20)
We get a lot of questions about Epoch 1-3 and what they really mean. These are different botnets of Emotet with different
infrastructure supporting them. I called them Epochs because they seemed to follow a different timeline and timescale of releases
for updates. They do not share C2 infrastructure and they can behave independently. In general these are
the rules governing to Emotet's Botnets/Epochs:
1. All C2 combos are hard coded in a list of up to 127 C2 combos in a given Epoch's loader. These Tier 1 C2s are never shared
between Epochs. E1-E2-E3 will all have a unique list of IPs/Ports(Combos) per Epoch. (Usually updated once per day)
2. Module C2s are also unique per Epoch and usually are former C2 Combos that were published in the loader but now are used for
the special purpose of the module for that Epoch. (Usually updated once per week)
3. All Epochs have a unique RSA Public key that is used to communicate and decode messages from the C2 infrastructure. These are
listed in the daily reports. Using CAPE's excellent Emotet Extraction module you can easily find what Epoch a sample is from.
4. All Epochs will use a unique location for distribution downloads. You will never see the same directory on the same compromised
distro tier 1 host used for a different botnet. e.g. host A may be used for distributing Emotet E1 loaders in directory /wp-fail/X/
and you may also see E2 documents hosted out of /wp-sucks/Y/. You will never see E1-E3 use the root of X or Y again for another
distro job to host loaders or docs for another botnet. (Note: a given distro directory will usually become abandoned and stop
hashbusting after 48-72 hours from inception.)
5. Spam from each Epoch will be used to add new bots to that Epoch. While there have been very rare exceptions or maybe even mistakes
on the distro side, Epoch 1 spam will be used to create more Epoch 1 bots, Epoch 2 spam will be used to create more Epoch 2 bots and Epoch
3 spam will be used to create more Epoch 3 bots.
6. Macro Documents from a given Epoch will always contain 5-8 URLs(Quintet,Sextet,Septet,Octet)as of 10/25/20 that download the loader for
that same Epoch.(There have been very rare exceptions to this rule but in general this is the TTP.)
7. Macro Documents from a given Epoch will have the same Creation Time for a given Quintet of URLs. This allows for quick identification
of the origin of the document per Epoch. When the Creation Time metadata changes for a document, there is almost always a new quintet
of loader URLs.
8. Malspam Templates are usually unique to a given Botnet/Epoch. They may later be shared to the other Botnet/Epoch but at the time of
the run, they are usually run on a single botnet. Example would be the Ransomware one from Friday 1/17/20 that was only on E3.
9. Bot can be transferred from Epoch to Epoch and we have seen this over time. Normally it is done by dropping an EXE from another
Epoch deliberately for the C2 update.
10. Macro Document Creation times usually change on Epoch 2 first and then shortly there after change on E1 and E3. We believe E2 is
really the primary botnet for Ivan/Emotet and they put changes on this botnet first.
Community Lists/Samples
(sorry if we miss anybody, make sure to send it to @cryptolaemus1 in your tweet and we will try to include it!)
Credits
Combination work of the Cryptolaemus Team - https://paste.cryptolaemus.com/about/ and/or specifically the following:
Doc DL URLs - @devnullnoop, @executemalware, @zbetcheckin, Anonymous
C2 info/RSA Keys - @hatching_io, @CapeSandbox, @unixronin, @devnullnoop, @MalwareTechBlog, @lazyactivist192, @executemalware, Anonymous
Payloads - @devnullnoop, @MalwareTechBlog, @lazyactivist192, @malware_traffic, @executemalware, @Paladin3161, @bomccss, Anonymous, @JAMESWT_MHT
@reecdeep, @waga_tw
Spam Templates - @devnullnoop, @lazyactivist192, @proofpoint, Anonymous :)
We would like to thank the parts of the community that explicitly request to NOT be listed here. You know who you are! :)
Special thanks to @lazyactivist192, @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk, @dms1899, @myrtus0x0 for creating scripts/servers/
infrastructure and helping out with this!
Very special thanks to @hatching_io, @proofpoint, @unpacme, @herrcore, @seanmw, @Binary_Defense, @lazyactivist192, @capesandbox,
@bigmacjpg and @decalage2 of the ViperMonkey Project https://github.com/decalage2/ViperMonkey, @digitalocean, @mploessel,
@anyrun_app, @unixronin, @hurricanelabs, @MalwareTechBlog, @KryptosLogic, @0xtadavie, @MsftSecIntel, @abuse_ch/urlhaus.abuse.ch,
@urlscanio, @BlackLotusLabs, @TrendMicro and @Virustotal for providing services/software at no charge to this cause!
Daily Log
This report was gathered by @JRoosen and @ps66uk:
@JRoosen here - Well something broke on the backend for Ivan it looks like and while things looked good on E3 in the morning UTC time, it quickly
unraveled for the tools over at EmotetHQ. Whatever happened, we saw hashbusting break on all 3 botnets and the next binary they probably were
going to hashbust did not come down. Also, it seemed like Ivan had issues getting the spam cannons to fire after this point also or maybe felt
it was just not worth it to try since distro for the DLLs was not hashbusting. Whatever the, short day for us with little to cover. We saw E1
stop spamming around 05:00UTC and E2 was even earlier near 03:00UTC. E3 was more robust and had even 2 more docs with a special DE German
based office template being used again as it was run in tandem with the iOS based template in English. All of this stopped around 08:30UTC.
We saw activity today which seemed like maybe the botnet was still trying to spam but it was primarily on E2. Even at the time of this
report, still nothing is spamming.
Emotet Domain Bucket
Created a pastebin of all domains used from 08/14/20+: This is sorta like the Emotet Hashbucket but it is all domains used
for distro by Emotet either Doc or Exe downloads. They are piled together and deduped for your blocking on your DNS platform of
choice. CAUTION - Use at your own risk! While every effort is made to make this data valid, there is always a chance for a mistake,
or one of these compromised sites actually being legitimately being used.
171 recorded domains today used in Emotet distro. 141 of those were determined to be unique.
The previous total was 10,630 unique domains and this brings us up to 10,771 domains used since 8/14/20.
UPDATE (2021/01/20): For some silly reason, pastebin won't let me update the previous post here anymore so this is now frozen in time:
https://pastebin.com/raw/u8avFVD6
Therefore the new home of this content is here:
https://paste.cryptolaemus.com/dbucket/
Note: They started to use enough IPs that I figured I would just keep them in the list here because they are being used in URLs directly
versus the FQDN (if one even exists).
Over time you can see a lot of reuse with these domains at a rate of at least 1/2 per day. New domains seem to slow down by Thursday
and Friday there is a lot of reuse! If you need a reason to justify blocking these domains once they are used for Emotet, here it is.
Emotet Hash Bucket
Updated bucket today for 2021/01/12+ until the end of 2021/01/20 which includes loader hashes from the 14th/15th. Total hashes are now
24,734 and this means we added another 12,489 hashes today.
Bucket for 2021/01/12+:
https://pastebin.com/raw/0w79H0B5
Note - Everytime it gets close to 64k hashes, pastebin seems to have issues dealing with it.
We are also looking for a better solution to this rather than Pastebin. Stay tuned.
General News
News in general and by region:
Basically we have a few reports from early in the morning of some spamming and then subsequent reports of the lack of spam all day. :)
Update on the Sekoia.FR incident with an Emotet Infection:
https://twitter.com/sekoia_fr/status/1352245726697414656
@ffforward once again had one of the earliest reports this morning and we concur that E3 was heavy until it went tits up.
https://twitter.com/ffforward/status/1352161123206909953
CL:
https://twitter.com/CSIRTGOB/status/1352378186273701889
DE:
https://twitter.com/neoxmorpheus1/status/1352387173128036352
DK:
https://twitter.com/ffforward/status/1352216560493096962
ES:
This one is interesting because it is #Mekotio but is similar to Emotet:
https://twitter.com/dgarcianet/status/1352235429160955904
IT:
https://twitter.com/VirITeXplorer/status/1352169065046040576
https://twitter.com/nicolaferrini/status/1352327110262546433
JP:
https://twitter.com/abel1ma/status/1352123122363768834
https://twitter.com/abel1ma/status/1352144654418939905
https://twitter.com/bomccss/status/1352282113605660673
https://twitter.com/bomccss/status/1352398894018088960
https://twitter.com/gorimpthon/status/1352213861449957379
https://twitter.com/satontonton/status/1352200872483201025
NZ:
https://twitter.com/phage_nz/status/1352486750011023364
US:
https://twitter.com/malware_traffic/status/1352252367929008128
https://twitter.com/ScarletSharkSec/status/1352264786747281412
https://twitter.com/ScarletSharkSec/status/1352271976769986562
Drops Report
IQTZ (IcedID/Qakbot/Trickbot/Zloader)
IcedID/BokBot - Not heard of any dropping yet from Emotet.
Qakbot - Not heard of any dropping yet from Emotet.
Trickbot - We only heard of reports of gtag mor1 being dropped. Once again Brad over at @malware_traffic posted his excellent notes:
https://twitter.com/malware_traffic/status/1352312552601038850
Zloader - Not heard of any dropping yet from Emotet.
Email Template Report
E3 was basically attachments only and a little bit of operation ZipLock before it died around 08:30UTC.
Update on Operation Zip Lock 2021/01/12
I am sure by now you have all seen the captcha based Emotet Operation Zip Lock (password protected ZIP). We broke that story yesterday
concerning this new tactic but it seems to have been used with only a few templates for reply chain type emails and wasnt very dynamic.
Most of them seemed to be the samples I saw actually had the same password of "28ivw" or "k4ez". This behavior was only seen on E3 but
was a significant portion of the spam on E3 for both the 12th and the 13th. We believe this was an attempt to throw another curveball
at our automation to break open these files and report the payloads ASAP. Also as noted in the news, it seemed to be a curveball for
other detection/defense systems for mail scanning. This was likely a test run before Ivan changes over the code to be more dynamic.
Well played Ivan but in this way you also made them easier to identify with the crappy captcha. We will watch for new versions
of this behavior and advise appropriately.
Update on Operation Zip Lock 2021/01/05:
All three of the botnets saw some Operation Zip Lock action too but E1 was all password protected ZIPs all day. We also started to see
some new wording in the spam templates and @Slayelele reported this to us also. Usually the Italian version of the Emotet malspam would
give the password with the phrase "Password archivio: [0-9]{3,5}" but we started to see today a different format of the following:
___________
File di archivio allegato all'email:
Parola d'ordine: 82999
___________
File di archivio allegato all'email:
Parola d'ordine: NCPUCAXTVB
___________
Indeed even the English type of these Operation Zip Lock types of malspam were showing up with newer passwords and wording:
Examples:
___________
Archive file attached to email: Invoice Oc09269510.zip
Password: AOLNYE
___________
Zip file attached to email: Report J279304187/05-01-2021.zip
Password: 821YR1VALX
___________
These new variants were seen on E3. I will work on more REGEX for these and publish later.
As promised here are some facts we have gathered on Operation Zip Lock: (Most of this was the same today 12/21/20+)
Operation Zip Lock is essentially password protected zips being attached to Emotet Malspam in some of the templates that are
used to spam Emotet. This tactic has evolved over time but was seen starting in at least the first half of 2019. In general,
these are usually only some of the attachment based malspams at any given time. Here are some general facts about this template:
1. By far, this tactic is used to target Japan and most often on E3. (at least until mid this Sept)
2. We are seeing templates in at least Dutch/English/French/German/Italian/Japanese
3. The passwords in the Japanese templates are usually enclosed in brackets and is alphanumeric via the following regex: [0-9a-zA-Z]{6,10}
4. The passwords in the English Templates are usually just numeric from what we have seen with the following regex [0-9]{3,5}
5. The passwords are in the body of the emails and have been seen with the following phrasing before it:
Japanese Examples:
"=E3=83=91=E3=82=B9=E3=83=AF=E3=83=BC=E3=83=89=EF=BC=9A[GGE60fmI]" - This is the more complex series with [0-9a-zA-Z]{5,10}
"=E3=83=91=E3=82=B9=E3=83=AF=E3=83=BC=E3=83=89=EF=BC=9AUIzBZxV5v" - seeing some now without brackets [0-9a-zA-Z]{5,10}
"=E3=83=91=E3=82=B9=E3=83=AF=E3=83=BC=E3=83=89: 13948" - This series has a regex that is pure numbers [0-9]{3,5}
Italian Example: - From @JAMESWT_MHT https://twitter.com/JAMESWT_MHT/status/1308725036606533637
"Password Archivo: 0231" - This series has a regex that is pure numbers [0-9]{3,5}
Another Italian example from @jcgarciagamero https://twitter.com/jcgarciagamero/status/1309406482467901443
"Password Archivo: 5375"
German Example: - From @neoxmorpheus1 https://twitter.com/neoxmorpheus1/status/1308881983511109633
"Passwort: aLybP7nqNb" - This is the more complex series with [0-9a-zA-Z]{5,10}
French Examples:
"Mot de passe: 4397809869" - This is the more complex series with [0-9a-zA-Z]{5,10}
"Mot de passe: 7447"
English Examples:
"Archive pass: 8578" - This series has a regex that is pure numbers [0-9]{3,5}
Encrypted zip file attached to email:
"The password for the document is LQWMFXu" -This is the more complex series with [0-9a-zA-Z]{5,10}
"The file is password protected - p6z88n0K" -This is the more complex series with [0-9a-zA-Z]{5,10}
"Password: th5cs3rHf"
"Password for ZIP:"
"Zip file attached to email: Very urgent information from 24-09-2020.zip"
6. The password is reused for many users and is static in groups.
7. These are seen on E1-E3 as of last week but this has primarily been used on E3 and E2.
8. One other thing to note is that the documents that are inside of the ZIP are not different (other than hashbusted) for the same ones on
that epoch's spam at a given time. That is to say they will be the same creation/modification time in the metadata and also the same septet of
payloads in the macro.
9. On 09/23/20 - ~9%-12% of total emails sent on E1/E2/E3 had attachments that were .zip.
10. The file names vary widely and I would not be confident to block just on this alone. I have seen just form.zip to GER-2984537-DOCUMENT-09
-23-20.zip and everything in between.
11. We heard and seen numerous incidents where the password was wrong and just didn't work.
___________
Paul's Boutique of Documents:
includes distro and urlhaus report time
E* Created Primary_Domain Distro Urlhaus Template
E1
E2
E3 2021:01:21 07:19:00 amojo.org 07:36 ios_enable_editing
E3 2021:01:21 07:44:00 deshbangla71news.com 08:54 msword_de
---
notes
See tweets for examples, we almost always provide samples in those tweets.
Link Regex Report
(These are experimental, use at your own risk.)
(Also keep in mind, your filter needs to look inside PDF files to find the URI to test against these above. Otherwise
this does not help.)
Update(2021-01-20)- I am going to refresh this once we get more URLs and cut it down some to cover the new E2 URLs.
New 2020/10/27 new stuff today and I tried to take a stab at it but it is ugly. They work but have not been tested for problems and FP. Use
at your own risk! I have this in a large rule with a layered allowed list exceptions so I recommend it deployed with something like that.
IMPORTANT: Make sure to make these one line because carriage returns were added to break them up so it doesnt break RSS. Also you may or may
not want to use (\"|\n) at the end depending on what you see.
E1 New
https?:\/\/.+?\/(([0-9]{1,2})|acanthite|addons|admin|.+\_ANTIGO|app(s?|\-krog)|arq|aspnet_client|assets|attachments?|avisos|blockman|.+\-button|carchi|
categoryl|.+\_chat|cgi-bin|codepay|complainingness|.+\.com|.+\-connection|content|COPYRIGHT|css|cuim|customerl|.+-data|Document(ation)?|(docs?|DOCS?)|
.+\-designs|engl|eleicao|.+codeofethics|esp|eTrac|example|extensionl|fal|feedback|(FILE|file)|fill|filterl|fonts?|framework|.+\-forms?|generationman|
gennew|.+\-handle|hotelinfo|images|.+\-images|img|INC|index(ing)?|.+_files|install-package|invoice|js|.+\.link|.+login|LLC|lm|logo|mas|military|music|
network|.+\.net|novy|OCT|Overview|Pages|paclm|parts_service|piwigo|plugins|.+\-power|powershell-get|processing|property|.+Proxy|public|public_html
|(R|r)eport(s|ing)?|Sandbox|Scan|securityl|sites?|sitepages?|sys-cache|teachers?|test|uploads?|.+\-unblocked|unpredictable|vendor|wordpress|wp.*
|.+\-z71)\/([A-Za-z0-9]{4,18}\/)?(([A-Za-z0-9]{1,70})\/)(\"|\n)
New from @aristoteles42 - (http(s)?:\/\/.+?\/(.+?\/)?){2}
#1 aggressive - http(s)?\:\/\/[^\s]+\/http
#2 less aggressive - \/http(s)?\:\/\/(attachments|browse|Documentation|docs|esp|eTrac|lm|paclm|Pages|parts_service|parts_service|public|
Overview|Pages|Reporting|Scan|sites|[0-9A-Z]{3,13})\/
E1 OLD
@aristoteles42 E1 Regex #1:
http(s)?:\/\/.+?\/((en|public|default|gallery|upgrade|uploads|download)|(((available|closed|common|individual|multifunctional|open|personal|
private|protected|test|verifiable)|([a-zA-Z0-9]{3,16}[-_][a-zA-Z0-9]{3,16}))[-_]((area|array|box|disk|module|resource|section|sector|zone)|
([a-zA-Z0-9]{3,16}[-_][a-zA-Z0-9]{3,16}))))\/(.+\/)?\s
@aristoteles42 E1 Regex #2:
http(s)?:\/\/.+\/(([a-zA-Z0-9]{3,16}[-_][a-zA-Z0-9]{3,16})|(((additional|close|corporate|external|guarded|individual|interior|
multifunctional|open|security|special|test|verifiable|verified)|([a-zA-Z0-9]{3,16}[-_][a-zA-Z0-9]{3,16}))[-_]((area|box|cloud|forum|module|
portal|profile|sector|space|warehouse)|([a-zA-Z0-9]{3,16}[-_][a-zA-Z0-9]{3,16}))))\/.+?\/\s
Karttoon's E1:
(?:http(s)?:\/\/)?(?:[^\x2F]+\/)+(((available|open|closed?|common|multifunctional|personale?|speciali?|privat(e|a)|test|additional|security|
inter(ior|nal|ni)|individuale?|verifi(ed|able|cabile)|guarded|external|protected|disponibile|corporate|multifunzionale|contestee|aggiuntiva|
chiusi|disponibile|sicurezza|custodito|aperto|comune|verificato)[_-]([a-zA-Z0-9]{3,16}[_-][a-zA-Z0-9]{4,15})\/)|(([a-zA-Z0-9]{2,16}[_-][a-zA-
Z0-9]{4,16})[_-](resource|content|box|disk|sector|modul(e|o)|array|cloud|warehouse|forum|space|portale?|profil(e|o)|zon(e|a)|area|marketing|
spazio|allineamento|module|disco|settore|sezione|risorsa)\/)|((available|open|closed?|common|multifunctional|personale?|speciali?|privat(e|
a)|test|additional|security|inter(ior|nal|ni)|individuale?|verifi(ed|able|cabile)|guarded|external|protected|disponibile|corporate|
multifunzionale|contestee|aggiuntiva|chiusi|disponibile|sicurezza|custodito|aperto|comune|verificato)[_-](resource|content|box|disk|sector|
modul(e|o)|array|cloud|warehouse|forum|space|portale?|profil(e|o)|zon(e|a)|area|marketing|spazio|allineamento|module|disco|settore|sezione|
risorsa)\/)|([a-zA-Z0-9]{4,14}[_-][a-zA-Z0-9]{5,16}[_-][a-zA-Z0-9]{3,13}[_-][a-zA-Z0-9]{2,16}\/)){2}([a-zA-Z0-9]{3,16}[_-][a-zA-Z0-9]{3,14}|
[a-zA-Z0-9]{9})(\/)$
E2 New
This is just a pared down E1 ver:
https?:\/\/.+?\/(([0-9]{1,2})|acanthite|addons|admin|.+\_ANTIGO|app(s?|\-krog)|arq|aspnet_client|assets|avisos|.+\-button|carchi|categoryl|.+\_chat|
cgi-bin|codepay|complainingness|.+\.com|.+\-connection|content|css|cuim|customerl|.+-data|.+\-designs|engl|eleicao|.+codeofethics|example|extensionl|
fal|feedback|fill|filterl|fonts?|framework|.+\-forms?|generationman|gennew|.+\-handle|hotelinfo|.+\-images|img|index(ing)?|.+_files|install-package|
invoice|js|.+\.link|.+login|logo|mas|military|music|network|.+\.net|novy|piwigo|plugins|.+\-power|powershell-get|processing|property|.+Proxy|
public_html|reports?|Sandbox|sitepages?|sys-cache|teachers?|test|uploads?|.+\-unblocked|unpredictable|vendor|wordpress|wp.*|.+\-z71)\/
([a-z0-9]{4,18}\/)?(([A-Za-z0-9]{1,70})\/)(\"|\n)
E2 OLD
OLD:
https?:\/\/.+?\/(addons|admin|attachments|balance|browse|calendar|Document|Documentation|DOC|docs|esp|eTrac|FILE|INC|invoice|index_files|LLC|
lm|network|parts_service|payment|OCT|Overview|Pages|paclm|public|public_html|report|Reporting|Scan|sites|
statement|swift|system|test|uploads|vendor|wp|wp-(admin|content|includes))\/([a-z0-9]{4,18}\/)?(([a-z0-9]{19,56})\/)?(\"|\n)
https?:\/\/.+?\/(addons|attachments|balance|browse|calendar|Document|Documentation|DOC|docs|esp|eTrac|FILE|INC|invoice|index_files|LLC|lm|
network|parts_service|payment|OCT|Overview|Pages|paclm|public|public_html|report|Reporting|Scan|sites|statement|swift|system|test|uploads|
vendor|wp-(admin|content|includes))\/([a-z0-9]{4,18}\/)?(([a-z0-9]{5,15})\-([0-9]{2,9})\-([a-zA-Z0-9]{8,20})\/)?(\"|\n)
https?:\/\/.+?\/(addons|attachments|balance|browse|calendar|Document|Documentation|DOC|docs|esp|eTrac|FILE|INC|invoice|index_files|LLC|lm|
network|parts_service|OCT|Overview|Pages|paclm|public|public_html|report|Reporting|Scan|sites|statement|swift|system|test|uploads|wp-(admin|
content|includes))\/([a-zA-Z0-9]{4,18}\/){0,2}?(([a-zA-Z0-9]{1,12})\-([0-9]{3,10})\-([0-9]{2,10})\-([a-zA-Z0-9]{4,12})\-([a-zA-Z0-9]
{4,12})\/)?(\"|\n)
TwpJ8d5vVZeLJM8u9K1ztUOVsR1Waxkk1Fp73jxGIo3HP3ndrB3pfg1pdtLW2LEEIhiWfN
E3 New
https?:\/\/.+?\/((.+\.com)|addons|admin|attachments|balance|bin|(_)?borders|browse|calendar|cgi-bin|css|dev|Document|Documentation|DOC|docs|
dup-installer(\-)?|esp|eTrac|FILE|form|(inc|INC)|images|_installation|intro|invoice|index_files|journal|LLC|lm|momo|network|(oct|OCT)|open_zone|
Overview|Pages|payment|paclm|photos|parts_service|photo|public|public_html|report|Reporting|Sales|Scan|sendlogin|sites|statement|swift|sys-cache|
system|temp|test|turismo|uploads|WordPress(_02)?|wp|wp-(admin|content|includes))\/([0-9]{4,17}\/){0,2}?(([a-zA-Z]{2,12})|
(([a-z0-9]{1,13})\-([0-9]{2,12})))\/(\"|\n)
E3 OLD
https?:\/\/.+?\/((.+\.com)|addons|admin|attachments|balance|bin|(_)?borders|browse|calendar|cgi-bin|css|dev|Document|Documentation|DOC|docs|
dup-installer(\-)?|esp|eTrac|FILE|form|INC|images|_installation|intro|invoice|index_files|journal|LLC|lm|network|OCT|open_zone|Overview|
Pages|paclm|photos|parts_service|public|public_html|report|Reporting|Sales|Scan|sites|statement|swift|sys-cache|system|temp|test|turismo|
uploads|WordPress(_02)?|wp|wp-(admin|content|includes))\/([0-9]{4,17}\/){0,2}?(([a-zA-Z]{2,10})|(([a-z0-9]{1,13})\-([0-9]{2,12})))\/(\"|\n)
https?:\/\/.+?\/(_old|ABOUT|AdminPanel|backup|calendar|captchacache|cgi-bin|cloud|cpnl|css|Documentation|engl?|fancybox|fonts|images|media|
oauth|pub|report|Register|scripts|setup|sys-cache|test|tmp|tr|us|web|wp(scripts)?|wp-(admin|content|includes))\/([A-Za-z0-9\-]{2,7})\/(\"|\n)
https?:\/\/.+?\/([A-Za-z0-9\-\_]{2,13})\/(([0-9a-z]{2,7}\-[0-9a-z]{2,7}\-[0-9a-z]{2,7}\/){1,2})(\"|\n)
Loader Report
Payloads and C2 report has been combined into this section and it is now known as the Loader Report.
_____________
E1
Distro_UTC Bytes Compile SHA256 CAPE Triage IP_1 hashes
E2
Distro_UTC Bytes Compile SHA256 CAPE Triage IP_1 hashes
E3
Distro_UTC Bytes Compile SHA256 CAPE Triage IP_1 hashes
---
notes
no new binaries :|
bundle of exe: https://tria.ge/
---
Notes:
no change from yesterday.
C2 Deltas:
E1 now 93 combos, nil.
E2 now 105 combos, nil.
E3 now 85 combos, nil.
---
E1
none
---
E2
none
---
E3
none
---
Closing
Will Ivan be able to get the botnet spamming again tomorrow? Will hashes be busted even though SSDEEP detects them all anyway?
Will the Emotet tools change the crypter again because it doesn't work with the stupid hashbusting? Will the same silly 2 static
craptcha images be used again for passwords? Inquiring minds want to know. Tune in tomorrow for the latest episode of
"As the Vodka Bottle Empties"
-TT
SHA256s for Epoch 1 Loader EXEs
none seen
SHA256s for Epoch 2 Loader EXEs
none seen
SHA256s for Epoch 3 Loader EXEs
none seen