Selected news item is not available in the requested language.

Italian language proposed.

Close

03/02/2020
09:07

2020W05 Report settimanale= > 01-07/02 2K20 campagne MalSpam target Italia


Malware veicolati attraverso le campagne: Emotet, Ursnif, LokiBot, FormBook, RAT, PWStealer
       
week42

Report settimanale delle campagne italiane di malspam a cura del C.R.A.M. di TG Soft.

Di seguito i dettagli delle campagne diffuse in modo massivo nella settimana appena trascorsa dal 01 febbraio 2020 al 07 febbraio 2020: Emotet, Ursnif, LokiBot, FormBook, RAT, PWStealer

INDICE

 ==> 03 febbraio 2020 => Emotet, LokiBot, PWStealer
 
 
==> 04 febbraio 2020 => Ursnif, Emotet, LokiBot, FormBook, PWStealer

 ==> 
05 febbraio 2020 => LokiBot, PWStealer

 ==> 
06 febbraio 2020 => Emotet, PWStealer

 ==> 07 febbraio 2020 => RAT, Emotet
 

 
==> Consulta le campagne del mese di Gennaio



03 febbraio 2020

PWStealer


Avviso di pagamento Copia_pdf.exe

MD5: a3ca912dd46787784d71f6d8ed961e09
Dimensione: 73728 Bytes
VirIT: Trojan.Win32.PSWStealer.BZB

IOC:
a3ca912dd46787784d71f6d8ed961e09
 


Torna ad inizio pagina

PWStealer


DHL_FORM14PDF.exe

MD5: 45f4626e4f498ae850e60af0b41cc6f1
Dimensione: 2106880 Bytes
VirIT: Trojan.Win32.PSWStealer.BZB

IOC:
45f4626e4f498ae850e60af0b41cc6f1
 

PWStealer


INV_00364_3A00189257_pdf.pdf.exe
MD5: 5b89f8020b6e2ede813e7120e15f7d7d
Dimensione: 1660928 Bytes
VirIT: Trojan.Win32.PSWStealer.BZB

IOC:
5b89f8020b6e2ede813e7120e15f7d7d
 

LokiBot


PaymentAdviceAgisco_CS540.exe
MD5: 05ae862d95759d6b44dcc6798cb8f25f
Dimensione: 45056 Bytes
VirIT: Trojan.Win32.PSWStealer.BZB

IOC:
05ae862d95759d6b44dcc6798cb8f25f

p://dealwithus[.]tk
p://alphastand[.]trade/alien/fre.php
p://kbfvzoboss[.]bid/alien/fre.php


Emotet


2020_U16575268.doc
MD5: 9571bcb08e29efd56d7b899f611c57bc
Dimensione: 128662 Bytes
VirITW97M.Emotet.BZB

createachannel.exe
MD5: 73111d16fad5d0a8c1b39407a7974037
Dimensione: 586057 Bytes
VirIT: Trojan.Win32.Emotet.BZB

IOC:
9571bcb08e29efd56d7b899f611c57bc
73111d16fad5d0a8c1b39407a7974037

s://hatbhutantour[.]com/wp-content/3Wu/
p://tandinbhutantravel[.]com/wp-content/F6D/
s://sakurabacninh[.]com/database/7INiA233/
p://www.buildwithinnovation[.]com/idx6a/Ut/
s://beholdbhutantravels[.]com/wp-content/wW1/


PWStealer



pagamento.exe
MD5: ec9528b932a09fd90ce88d1a2af29ab9
Dimensione: 622080 Bytes
VirITTrojan.Win32.PSWStealer.BZD

kBQAdZByqNAYJPDxma5.exe
MD5: 4aada021e24051250345e956cf407b8f
Dimensione: 67584 Bytes
VirITTrojan.Win32.Genus.BZD

IOC:
ec9528b932a09fd90ce88d1a2af29ab9
4aada021e24051250345e956cf407b8f

Torna ad inizio pagina 
 

04 febbraio 2020

LokiBot



2020045367822095.exe.exe
MD5: dd8c0ad36a79abbcff33c80e8fcf4cbf
Dimensione: 1283072 Bytes
VirITTrojan.Win32.PSWStealer.BZD

IOC
:
dd8c0ad36a79abbcff33c80e8fcf4cbf

p://xlkz[.]xyz
p://alphastand[.]trade/alien/fre.php
p://kbfvzoboss[.]bid/alien/fre.php

PWStealer



Dettagli del contratto.pdf.exe
MD5: 3f0fd9c7f1bef9f3915423f43cc26d5c
Dimensione: 1581568 Bytes
VirITTrojan.Win32.PSWStealer.BZD

IOC
:
3f0fd9c7f1bef9f3915423f43cc26d5c

108.161.187[.]74
 
Torna ad inizio pagina

Ursnif



info_02_04
MD5: a4a218cc13d73835b0e8819bc901c883
Dimensione: 73421 Bytes
VirITW97M.Ursnif.BZD

(PAYLOAD URSNIF)
MD5: 2679166b9ddf923359bba34a111e195f
Dimensione: 262144 Bytes
VirIT: Trojan.Win32.Ursnif.BZD


Versione: 214112
Gruppo: 3581
Key: 10291029JSJUYNHG

IOC:
a4a218cc13d73835b0e8819bc901c883
2679166b9ddf923359bba34a111e195f
 
p://nvdvdgp[.]com
p://z4v1qth[.]com
p://gs11fd5[.]com
p://bghqyf1[.]com
p://ku3rgq4[.]com 


Torna ad inizio pagina

Ursnif


297494_sollecito_SOL20A1640474.xls
MD5: 99c177598fa892cb999816ef94e1d041
Dimensione: 70144 Bytes
VirITX97M.Ursnif.BZD

(PAYLOAD URSNIF)
MD5: 1cb3e945b1a5f3023006e12ad5f552c1
Dimensione: 276992 Bytes
VirITTrojan.Win32.Ursnif.BZD


Versione: 214112
Gruppo: 2052
Key: 10291029JSJUXMPP

IOC
:
99c177598fa892cb999816ef94e1d041
1cb3e945b1a5f3023006e12ad5f552c1

p://kuu15austin21[.]com
p://qryyueeriberto[.]com
p://v15zxnapoleonln[.]com



PWStealer

 

DHLMIL005215487402.02042020.exe
MD5
: cf13ae5f4fb0d986ee1d186064737741
Dimensione: 90112 Bytes
VirIT: Trojan.Win32.PSWStealer.BZE

IOC
:
cf13ae5f4fb0d986ee1d186064737741

Torna ad inizio pagina

PWStealer


MIL000215477400.exe
MD5: 2394c68a9d8b35605eb1af6f9100b770
Dimensione: 90112 Bytes
VirIT: Trojan.Win32.Genus.BZD

IOC
:
2394c68a9d8b35605eb1af6f9100b770

FormBook


d'acquisto n. 89146..exe
MD5: 4a81d14cd2a5697218c99a1723d0cd5e
Dimensione: 567808 Bytes
VirIT: Trojan.Win32.PSWStealer.BZD

IOC
:
4a81d14cd2a5697218c99a1723d0cd5e

PWStealer


PDFpagamento.exe
MD5: 7f75507da3b1f9a18b2e8871c78eab3c
Dimensione: 633344 Bytes
VirIT: Trojan.Win32.PSWStealer.BZE

rbkallfuDlPKyZWZma5.exe
MD5: 35f67de43b83149d188897b8e8315d88
Dimensione: 112640 Bytes
VirITTrojan.Win32.Genus.BZE

IOC
:
7f75507da3b1f9a18b2e8871c78eab3c
35f67de43b83149d188897b8e8315d88

Emotet


fattura-1892.doc
MD5: 19e7819c1d7932e335449db06085cacf
Dimensione: 129852 Bytes
VirITW97M.Emotet.BZD

createachannel.exe
MD5: 22e500356384360a46f34c7089e2ca2e
Dimensione: 352927 Bytes
VirIT: Trojan.Win32.Emotet.BZD

IOC
:
19e7819c1d7932e335449db06085cacf
22e500356384360a46f34c7089e2ca2e

p://crimecitynews[.]com/wp-includes/DeHZs1/
p://clicksbyayush[.]com/wp-content/T721/
s://www.hgklighting[.]com/dacecb0fcd2bc6cbe09ed1527e527b37/pwdSS610g/
p://cheapwebvn[.]net/wp-content/cache/uZLPqwbGic/
p://sundevilstudentwork[.]com/wp-content/N4h2nKXI/

05 febbraio 2020

PWStealer



PDF.pagamento.exe
MD5: 963d32581ad13d6d169bcda724505b28
Dimensione: 636928 Bytes
VirITTrojan.Win32.PSWStealer.BZE

eNMVKofvODtVuilama5.exe
MD5: a881c76e1f9d6d7ad55b33b00946e6ba
Dimensione: 113152 Bytes
VirITTrojan.Win32.Genus.BZE

IOC:
963d32581ad13d6d169bcda724505b28
a881c76e1f9d6d7ad55b33b00946e6ba

PWStealer

  


INV_00364_3A001892572_pdfpdf.exe
MD5b4e601ee8e9933084e255172e60d1374
Dimensione: 1535488 Bytes
VirITTrojan.Win32.Genus.JW

IOC
:
b4e601ee8e9933084e255172e60d1374

LokiBot


VLTG_PurchaseOrder_Vitas_9735450.exe
MD5e0cefa4353bc8f52c9e26c0bbce63610
Dimensione: 77824 Bytes
VirITTrojan.Win32.PSWStealer.BZE

IOC
:
e0cefa4353bc8f52c9e26c0bbce63610

p://euromopy[.]tech 
p://alphastand[.]trade/alien/fre.php
p://kbfvzoboss[.]bid/alien/fre.php
 

Torna ad inizio pagina
 

06 febbraio 2020

PWStealer


pagamento.exe
MD5: 3a0b51389b0dec543e1c07273374d3ba
Dimensione: 615424 Bytes
VirITTrojan.Win32.PSWStealer.BZH

MPupanGFrEYvXNWrma5.exe
MD5: 81810bc28f0b6f7807430c28739e722a
Dimensione: 49152 Bytes
VirITTrojan.Win32.Genus.BZH

IOC:
3a0b51389b0dec543e1c07273374d3ba
81810bc28f0b6f7807430c28739e722a

Emotet


Fatture_GH0040_febbraio_2020_{RCPT.DOMAIN-1}.doc
MD5: 525f09b7e626bc4b4ae9b5651add05a6
Dimensione: 273234 Bytes
VirITW97M.Emotet.BZH

createachannel.exe
MD5: 948c98a8c8662e283066922f48ebd0c3
Dimensione: 241953 Bytes
VirIT: Trojan.Win32.Emotet.BZH

IOC:
525f09b7e626bc4b4ae9b5651add05a6
948c98a8c8662e283066922f48ebd0c3

s://9jabliss[.]com/oirxio/zlUgplO/
p://nvl.netsmartz[.]net/zod/gedkhogBs/
s://tbadl-ashtrakat[.]000webhostapp.com/wp-admin/3zru64pkg-eyke30v-432/
p://web23.s170[.]goserver.host/tmp/dz3c5ars-2zpnzzj69-298/
p://steakhouse42[.]site/tmp/mwh-vvrtz9kn-2692678/
 

Torna ad inizio pagina

07 febbraio 2020

RAT


saps.doc
MD5: 574466838a7711088fb70fae1ae9cacb
Dimensione: 427602 Bytes
VirITW97M.Downloader.BZJ

ertrqvg.exe
MD5: 04246b8456c1e0682e4f3b7d286a939d
Dimensione: 102912 Bytes
VirITTrojan.Win32.Kasidet.BA

IOC:
574466838a7711088fb70fae1ae9cacb
04246b8456c1e0682e4f3b7d286a939d

p://nurofenpanadol[.]su/tasks.php
 

Torna ad inizio pagina
 

Emotet


Form.rtf
MD5: c258f827282731ed61c672e501319b3f
Dimensione: 215348 Bytes
VirITW97M.Emotet.BZJ

createachannel.exe
MD5: 83b0ea9176b595556a4db794c73ee3e1
Dimensione: 491846 Bytes
VirIT: Trojan.Win32.Emotet.BZJ

IOC
:
c258f827282731ed61c672e501319b3f
83b0ea9176b595556a4db794c73ee3e1

p://fastacompany[.]com/wp-includes/IErV82C/
p://finerbook[.]com/wp-admin/H2897/
p://foto-periodismo[.]com/wp-content/WmK574/
p://gadgetgi[.]com/wp-admin/bEd7912/
p://funatsu[.]biz/wp/RMEE429803/

Torna ad inizio pagina  



Consulta le campagne del mese di Gennaio

Vi invitiamo a consultare i report del mese di Gennaio, per rimanere aggiornati sulle campagne di malspam circolanti in Italia:

25/01/2020 = Report settimanale delle campagne italiane di Malspam dal 25 gennaio al 31 gennaio 2020
18/01/2020 = Report settimanale delle campagne italiane di Malspam dal 18 gennaio al 24 gennaio 2020
11/01/2020 = Report settimanale delle campagne italiane di MalSpam dal 11 gennaio al 17 gennaio 2020

C.R.A.M. 
Centro Ricerche Anti-Malware di TG Soft 
Any information published on our site may be used and published on other websites, blogs, forums, facebook and/or in any other form both in paper and electronic form as long as the source is always and in any case cited explicitly “Source: CRAM by TG Soft www.tgsoft.it” with a clickable link to the original information and / or web page from which textual content, ideas and / or images have been extrapolated.
It will be appreciated in case of use of the information of C.R.A.M. by TG Soft www.tgsoft.it in the report of summary articles the following acknowledgment/thanks “Thanks to Anti-Malware Research Center C.R.A.M. by TG Soft of which we point out the direct link to the original information: [direct clickable link]”

Vir.IT eXplorer PRO is certified by the biggest international organisation: