Danabot Banking Trojan is targeting Italian users

1. Malspam:
2. Oggetto: “Dichiarazione dei redditi <DATA>”
3.  
4. Redirector:
5. hxxp:// donations.storecery.[com/partnerapi/aai.php?email=
6. hxxp:// returns.chrismissirian.[net/mx05/contracts.html?email=
7. hxxp:// local.firstcapitalmortgages[.ca/walker/helpdesk.html?email=
8.  
9. Dropurl:
10. sriyukteshvar[.com
11. pragueat.[com
12. todayutos[.info
13.  
14. C2 (Bushaloader):
15. ticketiinvoice[.info
16. pinghostwell.[info
17. hxxps ://ticketiinvoice[.info/
18. hxxps ://pinghostwell[.info/chkesosod/downs/OEee
19.  
20. C2 (Danabot):
21. 56.50.195[.156
22. 39.12.85[.53
23. 24.243.61[.239
24. 5.221.89[.254
25. 61.152.246[.172
26. 176.119.1[.99
27. 192.71.249[.50
28. 89.248.44[.92
29. 190.114.74[.183
30. hxxp://185.120.144[.185/inv3.php
31.  
32. Hash:
33. 2ff1212be2654421db07abce655bc8a76b90b95409cc26ffc95cceb9a018dcdb zip
34. 69cf9199081b78a6ffc8ed288aeb7df477b0cbea864b80a06fa41340df9f49dc vbs
35. 18a7310ee0c7aa0e465fd761f5767004a24fb33cabca0e87c89183840c4f1f05 dll