{ "28949ce7-0c63-483c-9978-296f85ab6872": { "event_id": 10595, "created_at": "2021-01-15T09:30:01.996679+00:00", "updated_at": "2021-01-15T09:37:21.859454+00:00", "name": "Campagna Emotet veicolata in Italia con PEC Spoofata", "description": "Campagna Emotet scritta in lingua spagnola e veicolata in Italia via PEC spoofata allega ZIP con password", "subject": "Propuesta", "tlp": "0", "campaign_type": "malware", "method": "attached", "country": "generic", "file_type": [ "zip" ], "theme": "Documenti", "malware": "Emotet", "phishing": null, "tag": [], "ioc_list": { "md5": [ "9732e4636e12e2af1ec598d4ef48211c", "e3cfabeed5bd67e9472a73d84e0a90d3", "16e0671a275ad6e949a878f07936b839" ], "sha1": [ "f5e6836392a606b9d273d525003f116a4ef91cf9", "27b74102d7b34126f61945d9a7615b8c4a8aa93d", "1ab471b1ab37c6c49fbd23bd05eb23267da90dfa" ], "sha256": [ "fceb54868d3c18fb527ba58de3c05a507d7e796646b03cef02d84078483b57d9", "6317202ff5f008c4ed2ae5c4c951d6df78da82e970dc1e17630a5dfc0a04b78c", "1e5499e6b6fc3c4f7a29d093e047b9d3610fc5bc282b038e8aa4befce36be095" ], "imphash": [], "domain": [], "url": [ "http://fynart.com/wp-admin/aNuMy/", "http://davinciworldshoppingmall.com/cgi-bin/Eh/", "http://geolifesciences.com/font/r/", "http://201.185.69.28:443/emswan57a241eqjffs/i1nvzqc1re/ekjvi/mbm2d51h1seit8/1btqkkg7z7zev5zb9/", "http://kingshowworldshoppingmall.com/cgi-bin/Ga/", "http://206.189.232.2:8080/r85qzlk9y8vzkotozk/", "http://dermedicoclinic.com/js/NElI8ZC/", "http://jardindhelena.comjardindhelena.com/wp-content/u20/", "http://rollinghood.com/how-to-ifwed/buj6VQx/" ], "ipv4": [], "email": [] }, "email_victim": [], "ioca_version": "1.0", "organization": "cert-agid" }, "cd54fa52-f183-446a-8a53-d48f8f13ebcc": { "event_id": 10592, "created_at": "2021-01-14T12:49:57.297152+00:00", "updated_at": "2021-01-14T15:53:26.127454+00:00", "name": "Campagna emotet", "description": "Uguale alle campagne tipiche di emotet di questo periodo: uso di una comunicazione passata, ZIP con password, DOC con macro VBA che lancia PS1 che usa Net.WebClient per scaricare una DLL da un sito WP compromesso. La DLL \u00e8 un packer che contiene emotet (che \u00e8 stato offuscato come descritto nel sito).", "subject": null, "tlp": "0", "campaign_type": "malware", "method": "attached", "country": "italy", "file_type": [ "zip", "doc" ], "theme": "Comunicazioni passate", "malware": "Emotet", "phishing": null, "tag": [], "ioc_list": { "md5": [ "b1cfc3fa2ccf252c0e2aeb18a7524695", "215a6e71d697dff7fdda31606c8bebe4", "dce4d01f8e43cdb0ad2d12ca8c23c430", "0bc65534e9b77a25446ac704ae00cd15", "034b8530a8e5f72f19839344c1856806" ], "sha1": [ "1b408be17db4e76adda7674722e72338a8c81b9c", "c558c6a0209cf67a54cbf988454e5db1d6133270", "e771564e27f43c950ea619acebd2a7c08df1e05b", "4c476df8f84bdd7cf64df235b79cfd4f2a940b71", "1b29af9d42e2db444f7ccdf8820a8adff71cd62e" ], "sha256": [ "21336e350f8cf5d5b7f51daaf5e3a9b7a16a2d4f79ac1194fd535865f779debe", "9134a645f534ce0cd4008ec1728006e3c703559257f632f89573213cb63da080", "62bad0332decf1ce04c29a84cebcbb0e48906816bbc80f62289c8237a38be721", "0ece63290a33ad922d2877016c080bbc0a3f8898b5b81a97552c02913a4eb3db", "9ad089f16f0a4ca1f7e080a145c3e3e2bd8eff72089ee5d61066463a7ca94805" ], "imphash": [], "domain": [], "url": [ "http://datawyse.net/0X3QY/", "http://makiyazhdoma.ru/blocked/tgEeW8M/", "http://mertelofis.com/wp-content/As0/", "http://ketorecipesfit.com/wp-admin/afanv/", "http://cs.lcxxny.com/wp-includes/E3U8nn/", "http://trustseal.enamad.ir.redshopfa.com/admit/wJJvvG/", "http://givingthanksdaily.com/CP/", "http://mpeakecreations.co.za/cgi-bin/vVk1rw/", "https://ats-tx.com/old/f1X/", "http://avanttipisos.com.br/catalogo-virtual/U/", "http://adres-ug.ru/wp-admin/IItD/", "https://theraven.pk/overwolf-r6-vdace/UH4fL/", "http://200.75.39.254/d39xnlvm035g/", "http://bhar.com.br/elementos/MQfB/", "https://smkbudiagung.com/wp-content/VoPg04/" ], "ipv4": [], "email": [] }, "email_victim": [], "ioca_version": "1.0", "organization": "cert-agid" } }