ioc[.]one - OSINT Cyber Threat Intelligence Database

Op. “Pistacchietto”: An Italian Job - Yoroi

Tags

country:	Italy
maec-delivery-vectors:	Watering Hole
attack-pattern:	Direct Dns - T1071.004 Dns - T1590.002 Ip Addresses - T1590.005 Malware - T1587.001 Malware - T1588.001 Python - T1059.006 Scheduled Task - T1053.005 Server - T1583.004 Server - T1584.004 Tool - T1588.002 Whois - T1596.002 Scheduled Task - T1053

Show in Graph

Common Information

Type	Value
UUID	e771f224-3f09-49fe-bfb0-07b457ce42e8
Fingerprint	8d84e86a8d9b03c0
Analysis status	DONE
Considered CTI value	2
Text language
Published	March 6, 2019, 4 p.m.
Added to db	Jan. 16, 2023, 4:56 p.m.
Last updated	Nov. 17, 2024, 11:40 p.m.
Headline	Op. “Pistacchietto”: An Italian Job
Title	Op. “Pistacchietto”: An Italian Job - Yoroi
Detected Hints/Tags/Attributes	69/3/95

Source URLs

	Redirection	Url
Details	Source	https://blog.yoroi.company/research/op-pistacchietto-an-italian-job/

URL Provider

Details	Provider	Source level domain
Details	yoroi.company	blog.yoroi.company

Attributes

Details	Type	#Events	Value
Details	Domain	1	config01.homepc.it
Details	Domain	4128	github.com
Details	Domain	1	verifiche.ddns.net
Details	Domain	2	drive.google
Details	Domain	1	woffice.py
Details	Domain	1	config02.addns.org
Details	Domain	1	office.py
Details	Domain	1	paner.altervista.org
Details	Domain	1	certificates.ddns.net
Details	Domain	1	visionstore.info
Details	File	9	win.bat
Details	File	1	wup.php
Details	File	7	nc64.exe
Details	File	33	nc.exe
Details	File	13	wget.exe
Details	File	1	wget32.exe
Details	File	1	get.vbs
Details	File	2	sys.xml
Details	File	1	syskill.xml
Details	File	1	office_get.xml
Details	File	1	woffice.exe
Details	File	1	init.vbs
Details	File	1	winsw.exe
Details	File	1	c:\windows\get.vbs
Details	File	1	woffice2.exe
Details	File	87	nissrv.exe
Details	File	1	woffice.py
Details	File	1	office.py
Details	sha256	1	a22ac932707e458c692ba72e5f4ddb3317817ac3a9a1ccbcccbdf720a9bd2cd4
Details	sha256	1	1061e997486c793ab5561fd7df0c2eb36b9390a564101e7ae5cc8dbf9541f750
Details	sha256	1	6edbf8b3f94d29be7c24676fbf2d1e4cdf00b1f7b9f31c2ce458d1e21b23af97
Details	sha256	1	3eecd459aa454f7973048af310c7086ff4a74efd5a3aee9f909cca324a0e2013
Details	sha256	1	a9f5e4c294ce6fb3bbdc4cd1ce3b23136005ce1dd57b2e8d20ed2161eea9f62b
Details	sha256	1	6d3e7adcf9626bbee6935c6e8ced13831ac419be19b9d13bc361bda402fbaca7
Details	sha256	1	61aaf7b301ed9f574ec3e37428e0e9c62875ddf8a075897408d5b1eb612097cc
Details	sha256	1	008bab1cc06a8c9fcdbc0e539d7709de0d163acaf26d90c78c00e7c58fa29fc3
Details	sha256	1	40e01c946618942c90851a09cb3e43c1e4d1e7d999ac97e9dab0f0a6222ca3ff
Details	sha256	1	d55331abdcedb96be387c70ddf8dd8d783cdf24be7e37e9913939f87e4a6b248
Details	sha256	1	18dec7d69a8eae1e78f8720ac3b6c8a5d1bb4c2f039a2d85bf77b01a82dc6912
Details	sha256	1	b11243ac75e5c3e343615889dbe28e51b1795dc5628e0f12e03b7192ca61bc60
Details	sha256	1	e1642bbe8a8ef616c97f34b835bc4f229f0e15c4619451e641462a44f476b46b
Details	sha256	1	6ec51cb47c72c572c683c07d971c80b9a4fc60c65c4e1af1524fb8595a653e0d
Details	sha256	1	cea68f294d0a21f19d79b2c3eefa762c1c295076c37c6c5b644e84e9a45dd2d2
Details	sha256	1	910e829f476fea4c406ebf760f4f8946448e236d110866f66c54257944d01906
Details	sha256	1	489d24447898ac587dedd8b8c097bf33ea7a3c639a978910f582015f4a229d5e
Details	sha256	1	688c5918872d45e1b375c3c65a453a8e891012fd9a4e35ceb1fa8cb24d2ffb68
Details	sha256	1	95280d20abbea35b435402ad06484938edad733dc94ba6271aed3cc1bd9887cf
Details	sha256	1	c2455b94bc8c5a05ebddf7e1736ca5a2bcbc728da6e07fb51a507ce9866d0ae8
Details	sha256	1	5b2f437bda3faa40073b441469694faae8f121b50b1fcfd6fdc0fa7288c082c9
Details	sha256	1	4087e880e5b658ff1f917fef17d2fd95c4382cefbbc08baf860cabd749c65e50
Details	sha256	1	505cedb52e044c7bdbd52ce7a392f78ccd7663ecfb07d23b314717dfacecf3f1
Details	sha256	1	0f1e223eaf8b6d71f65960f8b9e14c98ba62e585334a6349bcd02216f4415868
Details	sha256	1	097baea0616eaaab899f8d68e919bcaa66d77667a0f98b9ec643b7db980ec8d3
Details	sha256	1	24b47abad994181eb1ab660ec91d5fe4facd018d406f4312d6bc804a31254739
Details	sha256	1	5773e1821d336a1d72e72973319cc48f956ce4ff6888cd8734ee5a2c880fe484
Details	sha256	1	0e524fe27a4307ed8499a1c0d4df1f7354be6862085d368433f8df7028d13803
Details	sha256	1	efbcf3682f1780ae0c567f8f5a747d1b04131f786047deee5c2be7b0ba2c2c67
Details	sha256	1	32ff81be7818fa7140817fa0bc856975ae9fcb324a081d0e0560d7b5b87efb30
Details	sha256	1	81fbea6c5eaa33ed02124afac06106626282f02daa0a2634f69afab1ce5f3fd4
Details	sha256	1	2af025abe916003123a04f09c1d9804e2f9340b439e41ea47b542f4ba8be68ef
Details	sha256	1	408344a29792bbd2bc1cf54dedfec7bc442251cc84ecfe0288f1d2d0c34f59a0
Details	sha256	1	9c034a07c0857eee1bc1cc1e1859230656a385dbbaa471e666af7372f94c8d1e
Details	sha256	1	6a72488747d12d129aacae76864b83de31f7c4ae357622e78fa43cf506d9c48e
Details	sha256	1	4a416b55d3a250d52747bd8b87a3b791f2b7b8df45217de60c6e35ad0de84b12
Details	sha256	1	04c6dfc497d175c8f755ee3d3722d33ee255ec8f2e6c2a9d1039345086bd6408
Details	sha256	1	46daac1a8aa83a0de63b7f70ac2f4ede61cd82ceba51ce00b804b37fb429521a
Details	sha256	1	2f2f0ea2f649ef120c111dfa020d333826d68d74cf1bed1fd3f1ef92e91a4413
Details	sha256	1	3d3df7bb13a774d394a0c9e3f40a54cc9daa0705887363845eaf7f60218111cc
Details	sha256	1	e2e4d23525389c13126401215541f5625258da18372cb5c98d0b95123a86acfb
Details	sha256	1	be82341a12ea83d9efadc9ac35cf16d327f8499c99107dcde88dd0f5df84523c
Details	sha256	1	da15f169fff2f707ebffd2d1c78dc906ee9352c1d218ebe06d601c4b45382112
Details	sha256	1	c697b8502254a8305c6e77161e41c655b622876a933758139c16377298fd3f31
Details	sha256	1	498eec0b0cf5d945f77d4477e030f91f0e412631002f478622ef11ea0842eeba
Details	sha256	1	5bfc98f79d79b98ca39f3571a660d98eccba788578a7e8a3950d65714b721b50
Details	sha256	3	20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2
Details	sha256	1	6ac2ab4b6cc96a8f5e5ff08d825c7ac14504878061607530f58f7a1b02c0bfac
Details	sha256	1	86c24972e3ef376dfef1ed144a32e9f549de6aabdc6aeadefb8125fccd5132c3
Details	sha256	1	b6a2dd050339d3991442f460fdb48f76d8eaad5fa233a261970fb6d9c73f2925
Details	sha256	1	e7693c69db0e1cc1c19f6c7df7711cc07512f2a53f1919639bf15f969e180c7a
Details	sha256	1	3655c6bc776688fd54d6ec9de51c7eb2512ac8f987bcd807e14a4accc13e5f11
Details	sha256	1	ee86f083fdb8d5e2f4d1d609faf964fa08a01875bc0abb364aeb09bb83c35f8c
Details	sha256	1	04187ce5216fb1ef6ffe0fd2bcea6ae38ef055993b9d23f331d8c45e89510ade
Details	sha256	1	d11eff9047b71b82adce6089c3a845263846b124108b4b48220c3142393e89ad
Details	sha256	1	22d1a234507a76fd72d9c1948666da992d5a24e16c5791c806dd8d2ea2d141f5
Details	sha256	1	39316065605cbbccd9c9e7c9529ee2cd32d158ca7939888bfb811851ea6bef4c
Details	IPv4	1	52.26.124.145
Details	IPv6	1	25:686::2
Details	IPv6	1	1f0a:12af::2
Details	Url	1	https://github.com/pistacchietto/win-python-backdoor/raw/master
Details	Url	1	http://verifiche.ddns.net
Details	Url	2	https://drive.google
Details	Url	1	http://config01.homepc.it
Details	Url	1	http://paner.altervista.org
Details	Url	1	http://config02.addns.org
Details	Yara rule	1	rule pistacchietto_campaign_0219 { meta: description = "Yara rule for Pistacchietto campaign" author = "Yoroi ZLab - Cybaze" last_updated = "2019-03-01" tlp = "white" category = "informational" strings: $nc = "nc.exe" ascii wide $nc64 = "nc64.exe" ascii wide $dns1 = "config02.addns.org" ascii wide $dns2 = "config01.homepc.it" ascii wide $dns3 = "verifiche.ddns.net" ascii wide $dns4 = "paner.altervista.org" ascii wide $dns5 = "certificates.ddns.net" ascii wide $id = "pistacchietto" ascii wide $path = "/svc/wup.php?pc=" ascii wide condition: (1 of ($nc)) and (1 of ($dns)) or $id or $path }