{ "f04d27ed-1114-4467-9c4f-7cd812361b18": { "event_id": 10518, "created_at": "2020-12-18T08:33:54.342606+00:00", "updated_at": "2020-12-18T13:41:38.466689+00:00", "name": "Campagna Ursnif con falsa mail EniGaseLuce", "description": "DOC -> DLL", "subject": "Primo sollecito di paga Fattura 752", "tlp": "0", "campaign_type": "malware", "method": "attached", "country": "italy", "file_type": [ "doc" ], "theme": "Pagamenti", "malware": "Ursnif", "phishing": null, "tag": [], "ioc_list": { "md5": [ "3e732eeda87ae04507f0d1c4f94a2fa1", "0580bead7d154a24f5b70cdc8f3a1fa0", "0aff877fea2e2b18cb1984db76c73432", "06767d3cc0087dc7b1adc149b0f1f7d5", "9b3321de074b78ce58ff242f34101dfd", "098772258acd0d6b1afac1332b394651", "1d030bd1121d621a9c0f3295e46b1fcf", "63395d4c6891d51ce6f02acee33b18dc", "07227b3e316e4fdabafabad79c1081af", "363430ba47c7d69f75e9bc90dbbc1d8c" ], "sha1": [ "ad6a3901a6ccd6af35cf1670853594b9e78e94d2", "2e2ad8b3bbb2347fa9e13a326d896694c6715c26", "0cdffab8da2e54c119426026e02d89680224c38f", "af29af302a8c56c3a1fb85a0a9fa11e012f468f9", "6b38b90bbdeb5b84afc9f88861bfa1467d9d0655", "29b1b099307e83acf56cd04bfaaa2f1e2f9a7b60", "19ba7f6477d63c9b0f2c0f259096f55d4a01262b", "70a18a511b2fe9e764df2046684296aa349abf61", "2f44760f767e4857fc8762d485261853b66b047e", "47fe41dd67e0245c1ece8fcd2c10c713823db833" ], "sha256": [ "aa69396869ee1ed4b964d7a01c41315d46145f5fdfff10a8fd6d24602445f79e", "48003aaf10e02b7225375101b435efc4b7fdda39adc15845843815209c8445fc", "96e3f5338d06a280064a20203540a689ac6a070486fdf41608f6be2a9968d5b0", "c5bc0eb611dd86047b88e5164794171fcd114e46cc12808647a308775ae15b3e", "d19b8d569b0efbbf6c8a9ef81c0940850464b925e844f83c0df73d907a4e9087", "af5030e85147368bd9ad59c09a39cbf28ecde7c7fb93e5b659346f424b3593f3", "a01597e00558eca2cce97efeda0633922f6c520844186322824d3c7751ed457a", "d246572d90f1287fe2a22561154e371b7ec6c644515c6672e5091fcdc788eb76", "6d35a02b91b12750a6c69f5a197480673f939396b458d3ceabc7e4413947181f", "00af5f13551c5e20fe29ec3d12dca555a56cd1edcd0a8633373872334de485ae" ], "imphash": [], "domain": [ "gstatistics.co" ], "url": [ "http://longlive.cyou/p1cture3.jpg", "http://longline.casa/p1cture3.jpg", "http://longlive.casa/p1cture3.jpg", "http://longstat.cyou/p1cture3.jpg", "http://longline.cyou/p1cture3.jpg" ], "ipv4": [], "email": [] }, "email_victim": [], "ioca_version": "1.0", "organization": "cert-agid" }, "7680f753-42de-4874-8b69-5dc30ed22e07": { "event_id": 10508, "created_at": "2020-12-16T12:40:50.688466+00:00", "updated_at": "2020-12-16T12:40:50.733353+00:00", "name": "Campagna Ursnif italiana", "description": "riporta loghi Findomestic", "subject": "totale scaduto 227", "tlp": "0", "campaign_type": "malware", "method": "attached", "country": "italy", "file_type": [ "doc" ], "theme": "Pagamenti", "malware": "Ursnif", "phishing": null, "tag": [], "ioc_list": { "md5": [ "49fc40f6d58c4f97a38283cd530bf3bb", "900366bdf42e49e688ebf1c7bc05d3d3" ], "sha1": [ "ac4aa3d5212bdc864dc0769b995ce0f5c461c4bf", "03a0799b99bef6cabb8e4c704cc1dded20ff6590" ], "sha256": [ "b94d85cb5fb8328fdef03ed345010604b025334aecbe261168222ec4dcbb5774", "4d36701a7ece574dda56feaca4b70d9ee395ccf6c6522142028120b62324efc8" ], "imphash": [], "domain": [], "url": [ "http://199.192.24.31/upload/4343/client64.bin", "http://199.192.24.31/upload/4343/run.bin", "http://199.192.24.31/upload/4343/client32.bin", "https://fatturanumeroverde.com/" ], "ipv4": [], "email": [] }, "email_victim": [], "ioca_version": "1.0", "organization": "cert-agid" }, "3f6afe76-5052-4314-8fad-5c7e8b786bd3": { "event_id": 10507, "created_at": "2020-12-16T10:01:48.305464+00:00", "updated_at": "2020-12-16T10:05:38.254379+00:00", "name": "Campagna Ursnif italiana", "description": "Gentile cliente, le segnaliamo che sono in scadenza le fatture di seguito riportate... Per il pagamento attraverso bonifico bancario BENEFICIARIO BRT S.p.A., con specifica nella descrizione del bonifico del seguente codice cliente 01852603, le indichiamo le nostre coordinate bancarie... Per eventuali informazioni pu\u00f2 contattarci al numero di telefono 0975511416. Cogliamo l'occasione per inviarle cordiali saluti.", "subject": "BRT S.P.A. - Codice cliente 01327234 (ID3014077)", "tlp": "0", "campaign_type": "malware", "method": "attached", "country": "italy", "file_type": [ "xlsm" ], "theme": "Delivery", "malware": "Ursnif", "phishing": null, "tag": [], "ioc_list": { "md5": [ "93eea3f47bd8ae7acbe6f8f7a2e2b1eb", "7D675F9A252B26CD655607AE8B36C3E9" ], "sha1": [ "87AE236BF30A843FA42EE5C6A32FFC51FCC66DBD", "522894A5E30417192C053579D583FF7A690316A7" ], "sha256": [ "5E7F200F26FB2FC09CA80862FC6BEC38F7D539AADA080AF6461771F9233C054F", "0D15B2AD3EC6E0341F5001D8063AA8166B661B4F3E73E2ECC56E2E71B2099471" ], "imphash": [], "domain": [ "loogerblog.xyz", "kaztam.com", "rosadalking.xyz" ], "url": [ "https://fatturanumeroverde.com/" ], "ipv4": [], "email": [] }, "email_victim": [], "ioca_version": "1.0", "organization": "cert-agid" }, "3b370352-02b1-40d9-ab14-2f9d25c5b80c": { "event_id": 10502, "created_at": "2020-12-16T08:17:34.906443+00:00", "updated_at": "2020-12-16T09:00:27.059601+00:00", "name": "Campagna Ursnif italiana", "description": "ZIP -> DOC", "subject": "pagamento rata prestito 976", "tlp": "0", "campaign_type": "malware", "method": "attached", "country": "italy", "file_type": [ "zip" ], "theme": "Pagamenti", "malware": "Ursnif", "phishing": null, "tag": [], "ioc_list": { "md5": [ "5715725f0d532d84a8c39a08f36814ec", "5e965102ad2cdcb3f6886fd50fca9f6b", "1f68f2f1de41079b28ae6d46cf9d6743", "01c939beb85060d895445dc7f369d955", "cc718d16fc92d5c21060db5f0bb51f84" ], "sha1": [ "8e5068375871b21d1aad30b56362dd5ef38bf334", "e2c9002ce2fb80000573802509673ce5b99c7609", "c8cdc54fcf6168c40c0e5ef38f04eaa047d0fcd9", "b84927f33211689147b606b61046746e47c079f0", "3f585cac2ee1180c635c7cfe7afbab6ecac0e5c6" ], "sha256": [ "550baac0b4b99acf919e29a691523acb8c1b88277b1d2f2340b2e9dc37f9110a", "97d08aed5e50dcd9d122018efe1f0c0f0fe6a483a36ca296f2ae8e79785c09a7", "b54d8789fcba8a843b0e5a1d62e3f5195b0520986b963f1681001f623cca8d24", "45f6172fcb4e93461f5725eb63eb51265a9517cea4b89d25953c06c4c5b0ab20", "648b1c970a8a20ac10236f2f116897996aaf63bb460087977520d1c22b64777f" ], "imphash": [ "bda88323e44b65e930ec763aceb0104f" ], "domain": [ "gstat.securanto.net", "gstat.premiamo.eu", "gstat.securezzis.net", "gstat.secundato.net", "gstat.premiamo.com", "gstat.secundamo.com", "gstat.securezzas.com", "gstat.securanto.com", "gstat.secundato.com", "gstat.securezal.xyz", "gstat.securezal.com", "gstat.sloleaks.com", "gstatica.com" ], "url": [ "http://estatus.cyou/ph0t0.jpg", "http://gstatica.com/images", "http://istatus.cyou/ph0t0.jpg", "http://istatus.casa/ph0t0.jpg", "http://istatus.bar/ph0t0.jpg", "http://gstatus.bar/ph0t0.jpg" ], "ipv4": [], "email": [] }, "email_victim": [], "ioca_version": "1.0", "organization": "cert-agid" }, "d3441c1e-43bc-4003-8f8a-902835dc50be": { "event_id": 10495, "created_at": "2020-12-15T10:25:10.561426+00:00", "updated_at": "2020-12-15T11:06:30.266417+00:00", "name": "Campagna Ursnif con falsa mail Enel", "description": "Campagna a tema rimborso Enel veicola allegato con macro malevola XLSM.", "subject": "Rimborso Riferimento PR89571U41Y1911", "tlp": "0", "campaign_type": "malware", "method": "attached", "country": "italy", "file_type": [ "xlsm" ], "theme": "Energia", "malware": "Ursnif", "phishing": null, "tag": [], "ioc_list": { "md5": [ "133f3b213e33269d9bf6254fe6bb92cc", "dde0277221cabab1df0e1cccf6a125b2" ], "sha1": [ "cf8f7ebf6e865dbc9de5795e3e307fc42bd9e6be", "a7d375672ae47f087185c78a444487aa656c8eb5" ], "sha256": [ "e4f4693788de1ce418fa92cd6cf953a4e52828ead8f5a9bf175f9e2785c5e3cc", "0fb4779661fe23fdcd79c77fc74e721b637b496abe2eb26da28d12055af7b458" ], "imphash": [ "9e386d2174f5fb6ba64b3c981ccac306" ], "domain": [ "loogerblog.xyz", "kaztam.com", "rosadalking.xyz" ], "url": [ "https://fortiol.com" ], "ipv4": [], "email": [] }, "email_victim": [], "ioca_version": "1.0", "organization": "cert-agid" }, "ff709d08-0768-4ad4-b8b0-062b2f250faf": { "event_id": 10494, "created_at": "2020-12-15T07:46:20.347861+00:00", "updated_at": "2020-12-15T11:19:45.791069+00:00", "name": "Campagna Ursnif", "description": "campagna veicolata anche con logo Findomestic allega ZIP -> DOC", "subject": "saldo disponibile 3822", "tlp": "0", "campaign_type": "malware", "method": "attached", "country": "italy", "file_type": [ "zip" ], "theme": "Pagamenti", "malware": "Ursnif", "phishing": null, "tag": [], "ioc_list": { "md5": [ "0ae61655824b15e6b0904a9d336a91f3", "04de795632872711bf4ae8460e9cf6e1", "ea2e244513c36f594c69f7e1d5c17317", "8652304AEEE4A1442A54AE70FEAF22C8", "711A01415E4EBB801896833A1C22FF6E", "133f3b213e33269d9bf6254fe6bb92cc", "87f6b046372fa9e076870d8660681e21" ], "sha1": [ "ebac5d8a67a2be742c2139f3cdb25316ff4391e0", "e2aef046ef4fc386d8bfdd7560538cf5bcef8f7a", "916956452f556aa178c25f250ad6149893ed3dd8", "cf8f7ebf6e865dbc9de5795e3e307fc42bd9e6be", "3570f120199e18b94e49b3db16e30baff52b3e4b" ], "sha256": [ "9cabfa3e674b0274b3b802695b49d9634e027fb15aa827afaf793104f7317690", "f76973c5143a8b3be0dd9930d16391687fcd85a0a30e61b9bd30216085c4e4c8", "3ff9554244e69ac1930ac47a8ff7163c4a15d546ae09d03819ab76326d8b3e22", "E4F4693788DE1CE418FA92CD6CF953A4E52828EAD8F5A9BF175F9E2785C5E3CC", "162216af670b1cf48cacac3a3c6277f187dc290256dded6f3ae9397e63f6ff3f", "098ed25cba5132c6cc247c0cfcc609fd1520e2adcb96b7bb0c185c49da8c994a", "0e2dbf58b6019649828f17b0702cc470c93ce1ffa3d08a4409e0593b5c7ecfeb", "7ab8c1e353714aaefc910fe5190a6bd72bf3a51cb4b624d88bfab11c1160cfef", "b6e63246afe40e8e2d934fa5b2d669260bf64fb5d6b506672629fd4cbca5b58b", "326cf255a51498918795e8465f1bdff1fb5737c76161683ea3d07f4df5435189", "684d4f33b891061766922770a7225d975e0c9c0a22b1b3eda03cf3a7c4d5d824", "f48821e4e4634081d39aa4e0489ae1598e9d369fb47229ecf8d1f2f7d00b875e", "ab8873c322f04caafda38eec892962a4e17ddbadbc115db232927891f781d2c5", "0c84acf6d63976812d17da46fc3b8bf1128bbfd5f717262f20e25f3598484a9b", "7b4758da40392fdd67c517697ab77b89e4cd5901948d21a5f6b15c6eeb6bc4a3", "8cf1ea10fd9308e091d1677fc34a4f80e21d535187534a5fb7a51a6061206010", "ab00097632817f42c37f4c6241e38e33fe36d8c718308bd94a69d1e4047980e0" ], "imphash": [ "574e394c54eab82d4574ccb854474b08" ], "domain": [ "gstatici.com", "systemlive.casa", "systemic.casa", "systemok.casa", "systemst.casa", "systemu.casa", "gstat.premiamo.com", "gstat.securanto.net", "gstat.securezal.xyz", "gstat.securezzas.com", "gstat.secundamo.com", "gstat.securanto.com", "gstat.securezal.com", "gstat.secundato.com", "gstat.premiamo.eu", "gstat.securezzis.net", "gstat.sloleaks.com", "gstat.secundato.net", "loogerblog.xyz", "kaztam.com", "rosadalking.xyz" ], "url": [ "http://systemlive.casa/statis1c.dll", "http://systemic.casa/statis1c.dll", "http://systemok.casa/statis1c.dll", "http://systemst.casa/statis1c.dll", "http://systemu.casa/statis1c.dll", "https://fortiol.com/", "http://176.10.118.191/xmas.rar" ], "ipv4": [], "email": [] }, "email_victim": [], "ioca_version": "1.0", "organization": "cert-agid" } }