103.208.86.7 /bunced.net
103.208.86.19 /ravenzt.com
103.208.86.20 /lartymanz.com
103.208.86.21 /hoafmzn.com
103.208.86.22 /gaosrta.com
103.208.86.27 /bartyba.com
103.208.86.39 /visont.net
103.208.86.44 /bromze.com
103.208.86.64 /martbaba.com
103.208.86.68 /nirvax.net
103.208.86.70 /koltary.com 

Emotet Reference https://twitter.com/Cryptolaemus1/status/1471164570844766220 (koltary.com)

###############################################
http://103.208.86.7/
C2 Server: bunced.net (/jquery-3.3.1.min.js)
Watermark: 0
BeaconType: HTTP
Port: 80
UserAgent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
HttpPostUri: /jquery-3.3.2.min.js
SleepTime: 5000
MaxGetSize: 1403644
Jitter: 10
MaxDNS: Not Found
PublicKey MD5: 96facb94dddd3b19bbf9e1980777b4f1
Malleable C2 Instructions: Remove 1522 bytes from the end
Remove 84 bytes from the beginning
Remove 3931 bytes from the beginning
Base64 URL-safe decode
XOR mask w/ random key
Spawnto_x86: %windir%\syswow64\dllhost.exe
Spawnto_x64: %windir%\sysnative\dllhost.exe

####################################################
http://103.208.86.19/
C2 Server: ravenzt.com (/jquery-3.3.1.min.js)
Watermark: 0
BeaconType: HTTP
Port: 80
UserAgent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
HttpPostUri: /jquery-3.3.2.min.js
SleepTime: 5000
MaxGetSize: 1403644
Jitter: 10
MaxDNS: Not Found
PublicKey MD5: 5ee1fc49b1032582f7d192fccc79f46a
Malleable C2 Instructions: Remove 1522 bytes from the end
Remove 84 bytes from the beginning
Remove 3931 bytes from the beginning
Base64 URL-safe decode
XOR mask w/ random key
Spawnto_x86: %windir%\syswow64\dllhost.exe
Spawnto_x64: %windir%\sysnative\dllhost.exe

####################################################
http://103.208.86.21/
C2 Server: hoafmzn.com (/jquery-3.3.1.min.js)
Watermark: 0
BeaconType: HTTP
Port: 80
UserAgent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
HttpPostUri: /jquery-3.3.2.min.js
SleepTime: 5000
MaxGetSize: 1403644
Jitter: 10
MaxDNS: Not Found
PublicKey MD5: 0b6d804a06306045248303e9b7dca6a3
Malleable C2 Instructions: Remove 1522 bytes from the end
Remove 84 bytes from the beginning
Remove 3931 bytes from the beginning
Base64 URL-safe decode
XOR mask w/ random key
Spawnto_x86: %windir%\syswow64\dllhost.exe
Spawnto_x64: %windir%\sysnative\dllhost.exe

####################################################
http://103.208.86.22/
C2 Server: gaosrta.com (/jquery-3.3.1.min.js)
Watermark: 0
BeaconType: HTTP
Port: 80
UserAgent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
HttpPostUri: /jquery-3.3.2.min.js
SleepTime: 5000
MaxGetSize: 1403644
Jitter: 10
MaxDNS: Not Found
PublicKey MD5: ff65810b06b6d03c78f82d041d598c3f
Malleable C2 Instructions: Remove 1522 bytes from the end
Remove 84 bytes from the beginning
Remove 3931 bytes from the beginning
Base64 URL-safe decode
XOR mask w/ random key
Spawnto_x86: %windir%\syswow64\dllhost.exe
Spawnto_x64: %windir%\sysnative\dllhost.exe

####################################################
http://103.208.86.27/
C2 Server: bartyba.com (/jquery-3.3.1.min.js)
Watermark: 0
BeaconType: HTTP
Port: 80
UserAgent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
HttpPostUri: /jquery-3.3.2.min.js
SleepTime: 5000
MaxGetSize: 1403644
Jitter: 10
MaxDNS: Not Found
PublicKey MD5: f4f219d7f1e77e2b7bfc348d58e75c3e
Malleable C2 Instructions: Remove 1522 bytes from the end
Remove 84 bytes from the beginning
Remove 3931 bytes from the beginning
Base64 URL-safe decode
XOR mask w/ random key
Spawnto_x86: %windir%\syswow64\dllhost.exe
Spawnto_x64: %windir%\sysnative\dllhost.exe

####################################################
http://103.208.86.39/
C2 Server: visont.net (/jquery-3.3.1.min.js)
Watermark: 0
BeaconType: HTTP
Port: 80
UserAgent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
HttpPostUri: /jquery-3.3.2.min.js
SleepTime: 5000
MaxGetSize: 1403644
Jitter: 10
MaxDNS: Not Found
PublicKey MD5: c60a248cc3e3ad52088035b21bf170a4
Malleable C2 Instructions: Remove 1522 bytes from the end
Remove 84 bytes from the beginning
Remove 3931 bytes from the beginning
Base64 URL-safe decode
XOR mask w/ random key
Spawnto_x86: %windir%\syswow64\dllhost.exe
Spawnto_x64: %windir%\sysnative\dllhost.exe

####################################################
http://103.208.86.44/
C2 Server: bromze.com (/jquery-3.3.1.min.js)
Watermark: 0
BeaconType: HTTP
Port: 80
UserAgent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
HttpPostUri: /jquery-3.3.2.min.js
SleepTime: 5000
MaxGetSize: 1403644
Jitter: 10
MaxDNS: Not Found
PublicKey MD5: 7d16378062b1bf4f6662186499e17cec
Malleable C2 Instructions: Remove 1522 bytes from the end
Remove 84 bytes from the beginning
Remove 3931 bytes from the beginning
Base64 URL-safe decode
XOR mask w/ random key
Spawnto_x86: %windir%\syswow64\dllhost.exe
Spawnto_x64: %windir%\sysnative\dllhost.exe

####################################################
http://103.208.86.64/
C2 Server: martbaba.com (/jquery-3.3.1.min.js)
Watermark: 0
BeaconType: HTTP
Port: 80
UserAgent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
HttpPostUri: /jquery-3.3.2.min.js
SleepTime: 5000
MaxGetSize: 1403644
Jitter: 10
MaxDNS: Not Found
PublicKey MD5: 4cd3b17e16c1bd2310529b2cb5f8de2c
Malleable C2 Instructions: Remove 1522 bytes from the end
Remove 84 bytes from the beginning
Remove 3931 bytes from the beginning
Base64 URL-safe decode
XOR mask w/ random key
Spawnto_x86: %windir%\syswow64\dllhost.exe
Spawnto_x64: %windir%\sysnative\dllhost.exe

####################################################
http://103.208.86.68/
C2 Server: nirvax.net (/jquery-3.3.1.min.js)
Watermark: 0
BeaconType: HTTP
Port: 80
UserAgent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
HttpPostUri: /jquery-3.3.2.min.js
SleepTime: 5000
MaxGetSize: 1403644
Jitter: 10
MaxDNS: Not Found
PublicKey MD5: d7ab77012323399d4a66fdf98e1d35fe
Malleable C2 Instructions: Remove 1522 bytes from the end
Remove 84 bytes from the beginning
Remove 3931 bytes from the beginning
Base64 URL-safe decode
XOR mask w/ random key
Spawnto_x86: %windir%\syswow64\dllhost.exe
Spawnto_x64: %windir%\sysnative\dllhost.exe

####################################################
http://103.208.86.70/
C2 Server: koltary.com (/jquery-3.3.1.min.js)
Watermark: 0
BeaconType: HTTP
Port: 80
UserAgent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
HttpPostUri: /jquery-3.3.2.min.js
SleepTime: 5000
MaxGetSize: 1403644
Jitter: 10
MaxDNS: Not Found
PublicKey MD5: 44d342b4c454ae7655721d9ef47dbb3c
Malleable C2 Instructions: Remove 1522 bytes from the end
Remove 84 bytes from the beginning
Remove 3931 bytes from the beginning
Base64 URL-safe decode
XOR mask w/ random key
Spawnto_x86: %windir%\syswow64\dllhost.exe
Spawnto_x64: %windir%\sysnative\dllhost.exe

####################################################