Emotet
privacy 19.doc
MD5: 3d55fa49d1e822462fd505a12cc34160
Dimensione: 84536 Bytes
VirIT: W97M.Downlaoder.BWT
titlewrap.exe
MD5: d478ca0e32de9808bb3c50f04d38604d
Dimensione: 711715 Bytes
VirIT: Trojan.Win32.Emotet.BWT
IOC:
3d55fa49d1e822462fd505a12cc34160
d478ca0e32de9808bb3c50f04d38604d
p://goldonam[.]com/wp-admin/uv/
p://helloseatravel[.]com/wp-content/EFtavrYg/
p://mattonicomunicacao[.]com/agenciamento/ekuia/
p://myagentco[.]com/new/vkn/
s://usa.slackart[.]ch/wp-content/TxDVHvMRu8/
Ursnif
0273719-08921.xls
MD5: 06cb6351fe235dd3ade76b06835c9d1e
Dimensione: 64512 Bytes
VirIT: X97M.Downloader.BWT
(PAYLOAD URSNIF)
MD5: 1d3af80239862a93007e8f7f21a4d995
Dimensione: 195072 Bytes
VirIT: Trojan.Win32.Ursnif.BWT
| Versione: 217108 |
| Gruppo: 2052 |
| Key: 10291029JSJUXMPP |
IOC:
06cb6351fe235dd3ade76b06835c9d1e
1d3af80239862a93007e8f7f21a4d995
s://agenziadelleentrate.site
94.100.28[.]237
p://eioeruhgirbe.xyz
37.120.145[.]157
s://xuelko.xyz
94.100.18[.]7
RevengeRAT
documento.xls
MD5: 47b23031691d3e5bcf60ef633f060feb
Dimensione: 698880 Bytes
VirIT: X97M.Downloader.BWU
NewClient2.exe
MD5: 8149bee327bbba3bb219dfd9eee632e1
Dimensione: 13312 Bytes
VirIT: Trojan.Win32.Genus.BWU
IOC:
47b23031691d3e5bcf60ef633f060feb
8149bee327bbba3bb219dfd9eee632e1
s://8a8e6597.ngrok[.]io/11
185.140.53[.]69:8989
Torna ad inizio pagina
PWStealer
SWIFT.exe
MD5: 96f8bc2579dc04faeee884c03ebe1351
Dimensione: 2114048 Bytes
VirIT:
Trojan.Win32.Genus.BWU
IOC:
96f8bc2579dc04faeee884c03ebe1351
Torna ad inizio pagina
Emotet
fatture_PJX0367_dicembre_2019_{RCPT.DOMAIN}.doc
MD5: 2116e7648238b66b467d9fa96aa15d74
Dimensione: 175758 Bytes
VirIT:
W97M.Downloader.BWW
titlewrap.exe
MD5: 118fe19986eabfa8e7da880000c5016d
Dimensione: 643557 Bytes
VirIT:
Trojan.Win32.Emotet.BWW
IOC:
2116e7648238b66b467d9fa96aa15d74
118fe19986eabfa8e7da880000c5016d
p://hedayetsaadi[.]com/wp-includes/js/z3zf6k1s-s1k8v7j-189636/
p://braddmcbrearty[.]com/wp-admin/HIfIGbVd/
s://show-lifez[.]com/pressthisl/f2gqm-csz530q-195856099/
p://qsquareads[.]com/wp-content/qJshWp/
p://yantami[.]de/40f2gtse/7qieeo1g-1yj-99181271/
Ursnif
Nuovo documento 1.vbs
MD5: be5c6412b14e7ae3bae27d9a6c12f787
Dimensione: 3969724 Bytes
VirIT:
Trojan.VBS.Dwnldr.BWV
ColorPick.exe
MD5: ef6d6863ddd29e737dcbc989a9898f3d
Dimensione: 173072 Bytes
VirIT:
Trojan.Win32.Ursnif.BWV
| Versione: 300814 |
| Gruppo: 20198141 |
| Key: vuX9vQFU7K7ZnrCQ |
IOC:
be5c6412b14e7ae3bae27d9a6c12f787
ef6d6863ddd29e737dcbc989a9898f3d
p://excellencegroup[.]biz
p://excellencegroup[.]org
p://excellenceservices[.]org
p://gamesigns[.]com
p://excellencegroup[.]biz
p://excellencegroup[.]org
p://hotmembersonly[.]com
s://tripuruguay[.]info
212.42.121[.]53
s://chloroz[.]xyz
45.140.168[.]244
HawkEye
65069-AMM0000799423-73606598643.exe
MD5: b5f938c98179139b8e626767ee19bd2c
Dimensione: 1790976 Bytes
VirIT:
Trojan.Win32.PSWStealer.BWV
IOC:
b5f938c98179139b8e626767ee19bd2c
p://pomf[.]cat/upload.php
s://a.pomf[.]cat/
PWStealer
Scan_2019.17.12_15.11.47_Export (2).exe
MD5: 1c0d51bce1bb213727a395f22dd3e85a
Dimensione: 322117 Bytes
VirIT:
Trojan.Win32.Genus.BWV
IOC:
1c0d51bce1bb213727a395f22dd3e85a
Emotet
Fattura numero 7575 del 18.12.2019.doc
MD5: ea6ea3fa9ade0827fdec2d263bd9611e
Dimensione: 202475 Bytes
VirIT:
W97M.Downloader.BWM
titlewrap.exe
MD5: 102d65122f90e40113b6f64082c0e208
Dimensione: 385116 Bytes
VirIT: Trojan.Win32.Emotet.BWX
IOC:
ea6ea3fa9ade0827fdec2d263bd9611e
102d65122f90e40113b6f64082c0e208
s://salvacodina[.]com/wp-admin/qWYFrK/
s://bar-ola[.]com/wp-admin/KIdh35kENT/
p://rinani[.]com/wp-includes/FFkV/
s://wowmotions[.]com/wp-admin/A8LwzwQ/
p://serviska[.]com/show_cat3/lKzElbNb/
Ursnif
AVVISO Cliente 31691.xls
MD5: b49c3e17463bcb0fa37e59eb28da8a9a
Dimensione: 78336 Bytes
VirIT: X97M.Downloader.HY
Payload Ursnif
MD5: ff8bf919840a0532b600916b316c5fca
Dimensione: 223774 Bytes
VirIT: Trojan.Win32.Ursnif.BWX
| Versione: 217111 |
| Gruppo: 2052 |
| Key: 10291029JSJUXMPP |
IOC:
b49c3e17463bcb0fa37e59eb28da8a9a
ff8bf919840a0532b600916b316c5fca
s://newsaplicamento[.]surf/frus?78DF2EB8-499D-7844-9B77-3E6AEADF24E8
p://ohfebveub[.]xyz/images/RX0_2B18koCFcYKkcLJY_2/FrQX9YSgvpr9e/8f9
p://desaidles2[.]fun
p://ge1dmond[.]info
p://furmul2aso[.]com
p://zal6etuf[.]pro
p://gedmond0[.]pro
p://new1discoveries1[.]com
p://newsaplicamento2[.]surf
p://kolonimalosi8[.]pw
XpertRAT
SILEA PURCHASE ORDER REF. CT-39623B19.exe
MD5: 34659511b2c506e967d892cdbb0a678e
Dimensione: 860160 Bytes
VirIT: Trojan.Win32.Genus.BWX
Il malware sfrutta i seguenti tool prodotti da NirSoft per l'esfiltrazione dei dati dal computer della vittima:
- WebBrowserPassView
- PassView
- Dialupass
- Mail PassView
- MessenPass
IOC:
34659511b2c506e967d892cdbb0a678e
46.183.221[.]104
Emotet
Greta Thunberg.doc
MD5: 25011a1efa431afeb70b490c95396720
Dimensione: 212186 Bytes
VirIT:
W97M.Downloader.BXA
titlewrap.exe
MD5: 70e47922eb73501a28aa2483493241c1
Dimensione: 319603 Bytes
VirIT:
Trojan.Win32.Emotet.ZA
IOC:
25011a1efa431afeb70b490c95396720
70e47922eb73501a28aa2483493241c1
p://www.textilesunrise[.]com/anjuv/lymjn-kpc564-0052/
s://pakspaservices[.]com/cgi-bin/ykvrg-yt75yx1-43/
s://www.helenelagnieu[.]fr/wp-includes/lvtehd-cg9sdb-59/
p://ondesignstudio[.]in/sitemap/a5r48v5-6mpz-0938187/
s://www.lubinco[.]co.il/wp-content/LMnGPljQ/
PWStealer
aggiorna la fattura allegata.exe
MD5: c1eaabfbcd67b93676c1f6f6d03c97f7
Dimensione: 541696 Bytes
VirIT:
Trojan.Win32.PSWStealer.BXA
IOC:
c1eaabfbcd67b93676c1f6f6d03c97f7
SCAN_00_(PI) Francesc-1802 .exe
MD5: c3b38d03c4a471e1a70960d14a83d5f6
Dimensione: 155648 Bytes
VirIT:
Trojan.Win32.Genus.BXA
Il malware usa la tecnica di injection sul programma
RegAsm.exe di Windows per esflitrare i dati tramite una connessione attraverso il servizio Cloud di
Google Drive
IOC:
c3b38d03c4a471e1a70960d14a83d5f6
Emotet
Dimostrazione 2019.doc
MD5: 89c05d4a697bff6e43b307fa5e671ae4
Dimensione: 207986 Bytes
VirIT:
W97M.Downloader.BXB
titlewrap.exe
MD5: 8c824b65077f190484de2cf6be652ca6
Dimensione: 716896 Bytes
VirIT:
Trojan.Win32.Emotet.BXB
IOC:
89c05d4a697bff6e43b307fa5e671ae4
8c824b65077f190484de2cf6be652ca6
p://www.wangjy1211[.]xyz/wp-includes/bmzb-f0vjim4w-5277909/
s://www.compelconsultancy[.]com/2ic0/lNeMPamsg/
p://www.acgvideo[.]co/cache/rzvKsqUX/
P://www.smdelectro[.]com/alfacgiapi/fkq-lke7btj-80091/
s://www.air-pegasus[.]com/sips/ADcnKLXD/
Consulta le campagne del mese di Novembre/Dicembre
Vi invitiamo a consultare i report del mese di Novembre/Dicembre, per rimanere aggiornati sulle campagne di malspam circolanti in Italia:
07/11/2019 =
Report settimanale delle campagne italiane di Malspam dal 07 dicembre al 13 dicembre 2019
30/11/2019 =
Report settimanale delle campagne italiane di Malspam dal 30 novembre al 06 dicembre 2019
23/11/2019 =
Report settimanale delle campagne italiane di MalSpam dal 23 novembre al 29 novembre 2019
C.R.A.M.
Centro Ricerche Anti-Malware di TG Soft
