Selected news item is not available in the requested language.

Italian language proposed.

Close

25/11/2019
08:27

2019W46 Report settimanale => 16-22/11 2K19 campagne MalSpam target Italia


Malware vericolati attraverso le campagne di malspam: Ursnif, Emotet, LokiBot, Adwind, Genus, NanoCore, SLoad, FormBook
       
week46

Report settimanale delle campagne italiane di malspam a cura del C.R.A.M. di TG Soft.

Di seguito i dettagli delle campagne diffuse in modo massivo nella settimana appena trascorsa dal 18 novembre 2019 al 22 novembre 2019: Ursnif, Emotet, LokiBot, Adwind, Genus, NanoCore, SLoad, FormBook

INDICE

 ==> 18 novembre 2019 => Emotet - SLoad
 
 ==> 
19 novembre 2019 => Emotet - LokiBot - Ursnif

 ==> 
20 novembre 2019 => Emotet - Adwind  - LokiBot - Genus

 ==> 
21 novembre 2019 => Emotet - NanoCore - Adwind

 ==> 
22 novembre 2019 => Emotet -  FormBook
 
 ==> 
Consulta le campagne del mese di Ottobre


 18 novembre 2019

Emotet

 
 

 

DOCUMENTO 112019 J_92620.doc
MD5c34fb2fac67046d63dd5d1e0d684fe18
Dimensione: 206979 Bytes
VirIT: W97M.Downloader.BVF

printsxcl.exe
MD5: ae795b05ace43f916fbbee8a39afe0aa
Dimensione: 220672 Bytes
VirIT: Trojan.Win32.Emotet.BVM

X4PuG3u1xJhIK6.exe
MD5: 3680cb3b257bdea0ad646adbb490d532
Dimensione: 455680 Bytes
VirIT: 
Trojan.Win32.Trickbot.BVM



IOC:
c34fb2fac67046d63dd5d1e0d684fe18
ae795b05ace43f916fbbee8a39afe0aa
3680cb3b257bdea0ad646adbb490d532


p://www.ketobes[.]com/tmp/k69/
s://mercadry[.]com/wp-includes/225/
p://www.oakessitecontractors[.]com/backup-1482895488-wp-includes/ctz380/
s://agenta.airosgroup[.]com/app/dzpbq5213/
p://gwrkfpmw[.]net/wp-admin/aujxsb24/



Torna ad inizio pagina

SLoad

 
 

documentazione-aggiornata-YAV89221930213.wsf
MD5d7062f7b36e501abaaef36d17e7b70c8
Dimensione: 8098 Bytes
VirIT: 
Trojan.VBS.Dwnldr.BVF

IOC:
d7062f7b36e501abaaef36d17e7b70c8

s://ayalacarranza[.]com/
s://pcera[.]eu/

 

 



19 novembre 2019

Emotet

 


Fattura numero 94173 del 19.11.2019.doc

MD5: de7d7b6ce160aec4a82aac6fa253e96d
Dimensione: 196950 Bytes
VirIT: W97M.Downloader.BVH

printsxcl.exe
MD5: 08d10c705c762705c50d91d0137f5c57
Dimensione: 381201 Bytes
VirITTrojan.Win32.Dnldr30.CNYD

printsxcl.exe
MD5: ad557c55b0943936df58b5b2ff0feafd
Dimensione: 206848 Bytes
VirITTrojan.Win32.Emotet.BVM

wg8I6fCnw53etPk.exe
MD5: 3680cb3b257bdea0ad646adbb490d532
Dimensione: 455680 Bytes
VirIT: Trojan.Win32.Trickbot.BVM

IOC:
de7d7b6ce160aec4a82aac6fa253e96d
08d10c705c762705c50d91d0137f5c57
ad557c55b0943936df58b5b2ff0feafd
3680cb3b257bdea0ad646adbb490d532

p://www.cevizmedia[.]com/32hx/tpe/
p://www.prettyangelsbaptism[.]com/wp-includes/hb9/
s://demo.voolatech[.]com/360/5lnowj/
p://sofizay[.]com/ayz/VUb6VR6p/
p://bellespianoclass[.]com[.]sg/wp-content/yukx8/
 

 
 

Torna ad inizio pagina

LokiBot




Letter Unicredit SpA 11 19 2019_PDF.com

MD5: a64d161ab722933c974d64088a5d4012
Dimensione: 1150976 Bytes
VirIT: Trojan.Win32.PSWStealer.BVH

IOC:
a64d161ab722933c974d64088a5d4012

vcntq[.]gq
104.24.104[.]94
104.24.105[.]94



Torna ad inizio pagina
 

LokiBot




SWIFT.exe

MD5: 774bd2aac5339a27b130155ec546c6b1
Dimensione: 970752 Bytes
VirITTrojan.Win32.PSWStealer.BVI

IOC:
774bd2aac5339a27b130155ec546c6b1

matbin[.]com
85.187.128[.]8


Ursnif




Nuovo documento 2.vbs

MD5: 7d2b81d2ca6da7e4f095282c6cfb69dc
Dimensione: 3979156 Bytes
VirIT: Trojan.VBS.Dwnldr.BVH

ColorPick.exe
MD5: af0464c5e28dbdef41e3a8c6ca042765
Dimensione: 148504 Bytes
VirITTrojan.Win32.Ursnif.BVH

Versione: 300807
Gruppo: 20198071
Key: VyXZqi501cGXjJTW


IOC:
7d2b81d2ca6da7e4f095282c6cfb69dc
af0464c5e28dbdef41e3a8c6ca042765

s://digoedani[.]xyz

 


 
Torna ad inizio pagina
 
 

20 novembre 2019

Emotet




dati_112019.doc
MD5: 8865e685bab95c695ea8429249a51eac
Dimensione: 130874 Bytes
VirIT: W97M.Downloader.BVJ

printsxcl.exe
MD5: 78852d28b41cb141b4bb138399aab117
Dimensione: 220905 Bytes
VirITTrojan.Win32.Emotet.BVM

IOC:
8865e685bab95c695ea8429249a51eac
78852d28b41cb141b4bb138399aab117

p://astrametals[.]com/wp-content/im24279/
s://skilmu[.]com/9ar12/
p://mastermindescapetheroomgame[.]com/cgi-bin/lj54my449/
s://joufhs[.]net/wordpress/1ozz1a5072/
p://youtubeismyartschool[.]com/order-wrappers/oj90/
 

  

Adwind




SCAN75448_Pdf.jar
MD5: e1b24edd8962d9a5e969548dad48e0dc
Dimensione: 629354 Bytes
VirIT: Trojan.Java.Adwind.BRK

Retrive4922279840584391390.vbs
MD5: a32c109297ed1ca155598cd295c26611
Dimensione: 281 Bytes
VirITTrojan.VBS.Agent.AU

Retrive6907446895776897473.vbs
MD5: 3bdfd33017806b85949b6faa7d4b98e4
Dimensione: 276 Bytes
VirITTrojan.VBS.Agent.AU


IOC:
e1b24edd8962d9a5e969548dad48e0dc
a32c109297ed1ca155598cd295c26611
3bdfd33017806b85949b6faa7d4b98e4

jbond[.]sytes.net




   

Genus

 
  

Ordine n. 1696 del 20112019 Venezia doc.exe
MD5994cb3cbd9ff567bdb27257e0c70b066
Dimensione: 378961 Bytes
VirITTrojan.Win32.Genus.BVJ


IOC:
994cb3cbd9ff567bdb27257e0c70b066

 

LokiBot

 
 

FATTURA_____PDF_____756464.exe
MD5ec64bb15df16f86daf07eb1f884a2fe2
Dimensione: 293376 Bytes
VirITTrojan.Win32.PSWStealer.BVJ


IOC:
ec64bb15df16f86daf07eb1f884a2fe2

p://onllygoodam[.]com
31.184.254[.]112



Torna ad inizio pagina

21 novembre 2019

Emotet



File-LS-10856480.doc
MD5: 0214cd10069e216bcc9ea3e781c7a555
Dimensione: 119041 Bytes
VirITW97M.Downloader.BVL

titlewrap.exe
MD5: 4a9bc2198aa059cf20807a4edf0dac94
Dimensione: 450775 Bytes
VirIT: Trojan.Win32.Emotet.BVL


IOC:
0214cd10069e216bcc9ea3e781c7a555

s://www.jameslotz[.]com/wp-admin/k3s20753/
s://monitoring.bactrack[.]com/wp-content/cmdz7/
p://www.enegix[.]com/pytosj2jd/v9s7ze3/
s://jaafarattar[.]com/pytosj2jd/2re2j5773/
s://iruainvestments[.]com/pytosj2jd/0nc76zs40663/

 



Torna ad inizio pagina

NanoCore

 


PODocumenti pago e Roma 5889005678899w _pdf.exe

MD5: 2d7eb5436f5f73f5ce466c8865bd8892
Dimensione: 1114112 Bytes
VirITTrojan.Win32.Genus.BVL

win-server.exe
MD5: b9700245ce3fc475d1317a87f57a28cd
Dimensione: 126976 Bytes
VirITTrojan.Win32.Genus.BSI

IOC:
2d7eb5436f5f73f5ce466c8865bd8892
b9700245ce3fc475d1317a87f57a28cd

185.165.153[.]186
91.193.75[.]51
 
 

Torna ad inizio pagina
 
 

Adwind



IMG_21-11-2019_PDF.jar

MD57d90edaf49e0c044c7098281cf8a564c
Dimensione: 522360 Bytes
VirITTrojan.Java.Adwind.BVM

Retrive4363700364539941420.vbs
MD5a32c109297ed1ca155598cd295c26611
Dimensione: 281 Bytes
VirITTrojan.VBS.Agent.AU

Retrive6666584593518733296.vbs
MD53bdfd33017806b85949b6faa7d4b98e4
Dimensione: 276 Bytes
VirITTrojan.VBS.Agent.AU

IOC:
7d90edaf49e0c044c7098281cf8a564c
a32c109297ed1ca155598cd295c26611
3bdfd33017806b85949b6faa7d4b98e4

jbond[.]sytes.net



 

22 novembre 2019

Emotet




943249.doc

MD5: c3515b12d5ce4afc4b39183a9be9390d
Dimensione: 214697 Bytes
VirIT: W97M.Downloader.BVN

printsxcl.exe
MD5: b2a5e278b43ee7313ec855f93c0fe0ce
Dimensione: 232227 Bytes
VirITTrojan.Win32.Emotet.BVP

wJ1ugSOH3pMlWvTL2.exe
MD5: 5aeae7f37d7c8d96e3ac06044ef3b72f
Dimensione: 241664 Bytes
VirIT: Trojan.Win32.TrickBot.BVS

IOC:
c3515b12d5ce4afc4b39183a9be9390d
b2a5e278b43ee7313ec855f93c0fe0ce
5aeae7f37d7c8d96e3ac06044ef3b72f

s://news.yaoerhome[.]com/sfbgp5n/a81/
s://highschools.creationlife[.]com/cgi-bin/7k364/
p://momo2.test.zinimedia[.]com/medias/2wgtpu56548/
s://annonces.ga-partnership[.]com/ymrm/1avoacp5645/
s://www.preprod.planetlabor[.]com/_archives/n1dsg33156/
 



Torna ad inizio pagina
 
 

FormBook

 
 

Copia_del_bollettino_del_bonifico_bancario.com
MD5c92719c9020e3eded29b6a340d5ad632
Dimensione: 606208 Bytes
VirIT: 
Trojan.Win32.Injector.BVN

IOC:
c92719c9020e3eded29b6a340d5ad632



 

 


Consulta le campagne del mese di Ottobre/Novembre

Vi invitiamo a consultare i report del mese di Ottobre/Novembre, per rimanere aggiornati sulle campagne di malspam circolanti in Italia:

09/11/2019 = Report settimanale delle campagne italiane di Malspam dal 09 novembre al 15 novembre 2019
02/11/2019 = Report settimanale delle campagne italiane di Malspam dal 02 novembre al 08 novembre 2019
26/10/2019 = Report settimanale delle campagne italiane di Malspam dal 26 ottobre al 01 novembre 2019

C.R.A.M. 
Centro Ricerche Anti-Malware di TG Soft 
Any information published on our site may be used and published on other websites, blogs, forums, facebook and/or in any other form both in paper and electronic form as long as the source is always and in any case cited explicitly “Source: CRAM by TG Soft www.tgsoft.it” with a clickable link to the original information and / or web page from which textual content, ideas and / or images have been extrapolated.
It will be appreciated in case of use of the information of C.R.A.M. by TG Soft www.tgsoft.it in the report of summary articles the following acknowledgment/thanks “Thanks to Anti-Malware Research Center C.R.A.M. by TG Soft of which we point out the direct link to the original information: [direct clickable link]”

Vir.IT eXplorer PRO is certified by the biggest international organisation: