Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Gozi/Ursnif Banking Trojan targets Italian Enterprise Organization
- IOC:
- Malspam:
- Mittente:
- "Alfredo Rota" <direzione@alkaservizi.com>
- "Info - Hotel Cristina Napoli" <info@hotelcristinanapoli.com>
- (potrebbero variare, uso di potenziali account compromessi)
- Oggetto:
- “Re: R: Turni del 19/03/2018”
- “Re: Rinnovo Convenzione - Dioniso's Hotels & Apartments”
- (potrebbero variare ulteriormente)
- Allegato:
- “Richiesta.doc”
- “<PREFISSO>-Richiesta.doc”
- Dropurl:
- 107.152.196[.147
- dqwodnqwdoajndwqdqwdasd[.com
- qwdiqjdauqwdnaqudqawd.[com
- http:// qwdiqjdauqwdnaqudqawd.[com/NOIT/testv.php?l=borter<1-10>.class
- Componenti:
- http:// horse-technology.[com/files/alex.bmp
- http:// horse-technology.[com/files/sofia.bmp
- http:// lnx.eridanoweb.[com/gestioni/footer.png
- http:// fioritononi.[it/modules/secure.doc
- http:// voloweb[.net/assistenze/img/wp-64.png
- http:// cmxsrl[.it/wp-64.zip
- http:// onliva[.at/jvassets/rk/docs.rar
- http:// playmuseek[.com/wp-admin/maint/admin.rar
- http:// www.experience[.it/imgs/system.exe
- C2 (TOR):
- wpxsrrj7nektcxri[.onion
- nmct3onogb625qut[.onion
- vxe42hjcu4yjiins.[onion
- https:// wpxsrrj7nektcxri.[onion/wpdata
- https:// nmct3onogb625qut.[onion/wpdata
- https:// vxe42hjcu4yjiins[.onion/wpdata
- C2:
- 47.74.247[.229
- onliva[.at
- farimon[.at
- karilor[.at
- fortares[.su
- swoqup[.at
- bukredo[.cn
- ledal[.at
- http:// onliva[.at/wpassets
- http:// fortares[.su/wpassets
- http:// swoqup.[at/wpassets
- http:// bukredo[.cn/wpassets
- http:// ledal.[at/wpassets
- Hash:
- e918f6467e8b1b66633b71c45f9999e44e154101f41dda99e9df8cb01f8d10d9 doc
- 903a6e34b077822108b8dd38a8733636368e2450f8eaae8a5eb939dd5569bfd5 exe
- Persistenza:
- “C:\Users\%USER%\AppData\Roaming\Microsoft\<NOMEAUTOGENERATO1>\<NOMEAUTOGENERATO2>.exe”, e.g.
- “C:\Users\%USER%\AppData\Roaming\Microsoft\Dot3gpui\bdeuroxy.exe”
- “C:\Users\%USER%\AppData\Roaming\Microsoft\Bitsdler\Audibrkr.exe”
Add Comment
Please, Sign In to add comment