2017-10-26 - HANCITOR INFECTION WITH ZEUS PANDA BANKER

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-10-26-Hancitor-infection-with-Zeus-Panda-Banker.pcap.zip   2.2 MB (2,203,470 bytes)

• 2017-10-26-Hancitor-infection-with-Zeus-Panda-Banker.pcap   (3,154,362 bytes)

• 2017-10-26-Hancitor-malspam-25-examples.zip   29.8 kB (29,768 bytes)

• 2017-10-26-Hancitor-malspam-153455-UTC.txt   (2,748 bytes)
• 2017-10-26-Hancitor-malspam-154025-UTC.txt   (2,773 bytes)
• 2017-10-26-Hancitor-malspam-154050-UTC.txt   (2,758 bytes)
• 2017-10-26-Hancitor-malspam-155803-UTC.txt   (2,793 bytes)
• 2017-10-26-Hancitor-malspam-160257-UTC.txt   (2,828 bytes)
• 2017-10-26-Hancitor-malspam-161434-UTC.txt   (2,818 bytes)
• 2017-10-26-Hancitor-malspam-161547-UTC.txt   (2,795 bytes)
• 2017-10-26-Hancitor-malspam-162005-UTC.txt   (2,807 bytes)
• 2017-10-26-Hancitor-malspam-162437-UTC.txt   (2,839 bytes)
• 2017-10-26-Hancitor-malspam-163029-UTC.txt   (2,787 bytes)
• 2017-10-26-Hancitor-malspam-163446-UTC.txt   (2,822 bytes)
• 2017-10-26-Hancitor-malspam-163827-UTC.txt   (2,770 bytes)
• 2017-10-26-Hancitor-malspam-165437-UTC.txt   (2,801 bytes)
• 2017-10-26-Hancitor-malspam-170300-UTC.txt   (2,844 bytes)
• 2017-10-26-Hancitor-malspam-170549-UTC.txt   (2,789 bytes)
• 2017-10-26-Hancitor-malspam-171228-UTC.txt   (2,777 bytes)
• 2017-10-26-Hancitor-malspam-171751-UTC.txt   (2,760 bytes)
• 2017-10-26-Hancitor-malspam-171933-UTC.txt   (2,751 bytes)
• 2017-10-26-Hancitor-malspam-172419-UTC.txt   (2,784 bytes)
• 2017-10-26-Hancitor-malspam-175917-UTC.txt   (2,803 bytes)
• 2017-10-26-Hancitor-malspam-181923-UTC.txt   (2,769 bytes)
• 2017-10-26-Hancitor-malspam-183916-UTC.txt   (2,807 bytes)
• 2017-10-26-Hancitor-malspam-195435-UTC.txt   (2,758 bytes)
• 2017-10-26-Hancitor-malspam-200146-UTC.txt   (2,823 bytes)
• 2017-10-26-Hancitor-malspam-204726-UTC.txt   (2,763 bytes)

• 2017-10-26-malware-from-Hancitor-infection.zip   226.8 kB (226,828 bytes)

• notice_998780.doc   (193,024 bytes)
• xulstore.exe   (172,544 bytes)

 

TODAY'S TWEETS COVERING THE 2017-10-26 WAVE OF #HANCITOR MALSPAM:

• @James_inthe_box:  And #hancitor #malspam: "Missed shipping|delivery notification for tracking <random>" pastebin.com/XAYqvvqb details as I get them   (link to tweet)
• @noottrak:  New #hancitor ? Back to API if so e4984fb2fb373ff4ceaf3f6cc40dbfdb092a03df8a58f123136761e821c0cc99 @James_inthe_box I won't be near pc   (link to tweet)

 

NOTES:

• No more DDE attack in the Word documents like we saw previously on 2017-10-16.  Today, it's back to Word macros.
• Today, instead of seeing DELoader/ZLoader in the post-infection malware, I noticed what appears to be Zeus Panda Banker.

 

EMAILS

Shown above:  Screenshot from one of the emails.

 

EMAIL HEADERS:

• Date/Time: Thursday 2017-10-26 15:34 UTC through at least 20:47 UTC

• Received: from angelwingsigns[.]com ([67.133.151[.]14])
• Received: from angelwingsigns[.]com ([71.75.179[.]135])
• Received: from angelwingsigns[.]com ([97.76.39[.]190])
• Received: from angelwingsigns[.]com ([98.119.130[.]238])
• Received: from daumarcorp[.]com ([12.227.179[.]18])
• Received: from daumarcorp[.]com ([24.0.234[.]106])
• Received: from daumarcorp[.]com ([38.98.124[.]62])
• Received: from daumarcorp[.]com ([64.61.172[.]230])
• Received: from daumarcorp[.]com ([65.157.99[.]75])
• Received: from daumarcorp[.]com ([72.175.76[.]79])
• Received: from daumarcorp[.]com ([74.75.144[.]125])
• Received: from daumarcorp[.]com ([82.129.106[.]36])
• Received: from daumarcorp[.]com ([96.33.255[.]179])
• Received: from daumarcorp[.]com ([173.13.9[.]9])
• Received: from daumarcorp[.]com ([208.123.135[.]136])
• Received: from daumarcorp[.]com ([209.33.121[.]22])
• Received: from daumarcorp[.]com ([216.215.95[.]114])
• Received: from sevenmetsuites[.]com ([24.103.74[.]246])
• Received: from sevenmetsuites[.]com ([67.136.195[.]29])
• Received: from sevenmetsuites[.]com ([69.70.89[.]26])
• Received: from sevenmetsuites[.]com ([69.168.10[.]171])
• Received: from sevenmetsuites[.]com ([71.15.210[.]158])
• Received: from sevenmetsuites[.]com ([74.87.9[.]154])
• Received: from sevenmetsuites[.]com ([96.68.110[.]242])
• Received: from sevenmetsuites[.]com ([198.0.61[.]206])

• From: "UPS Delivery" <ups24084@angelwingsigns[.]com>
• From: "UPS Delivery" <ups43035@sevenmetsuites[.]com>
• From: "UPS Delivery" <ups48062@sevenmetsuites[.]com>
• From: "UPS Delivery" <ups51445@angelwingsigns[.]com>
• From: "UPS Delivery" <ups58276@daumarcorp[.]com>
• From: "UPS Delivery" <ups74123@daumarcorp[.]com>
• From: "UPS Delivery" <ups80882@daumarcorp[.]com>
• From: "UPS Delivery" <ups81714@sevenmetsuites[.]com>
• From: "UPS Quantum View" <ups26327@angelwingsigns[.]com>
• From: "UPS Quantum View" <ups34252@daumarcorp[.]com>
• From: "UPS Quantum View" <ups50657@angelwingsigns[.]com>
• From: "UPS Quantum View" <ups76634@daumarcorp[.]com>
• From: "UPS Quantum View" <ups81300@sevenmetsuites[.]com>
• From: "UPS Quantum View" <ups85600@sevenmetsuites[.]com>
• From: "UPS Shipments" <ups03440@sevenmetsuites[.]com>
• From: "UPS Shipments" <ups35411@daumarcorp[.]com>
• From: "UPS Shipments" <ups42411@sevenmetsuites[.]com>
• From: "UPS Shipping" <ups02466@daumarcorp[.]com>
• From: "UPS Shipping" <ups12877@daumarcorp[.]com>
• From: "UPS Shipping" <ups24656@daumarcorp[.]com>
• From: "UPS Shipping" <ups52182@daumarcorp[.]com>
• From: "UPS Shipping" <ups63225@daumarcorp[.]com>
• From: "UPS Shipping" <ups70841@sevenmetsuites[.]com>
• From: "UPS Shipping" <ups75107@daumarcorp[.]com>
• From: "UPS Shipping" <ups78838@daumarcorp[.]com>

• Subject: Missed delivery notification for tracking 1Z0E0Y753247837106
• Subject: Missed delivery notification for tracking 1Z1E1Y581266388745
• Subject: Missed delivery notification for tracking 1Z2E2Y817274175225
• Subject: Missed delivery notification for tracking 1Z3E3Y400328016088
• Subject: Missed delivery notification for tracking 1Z4E4Y755823507584
• Subject: Missed delivery notification for tracking 1Z5E5Y013462670766
• Subject: Missed delivery notification for tracking 1Z7E7Y338336774206
• Subject: Missed shipment notification for tracking 1Z0E0Y741843841125
• Subject: Missed shipment notification for tracking 1Z0E0Y854734812346
• Subject: Missed shipment notification for tracking 1Z2E2Y873430622064
• Subject: Missed shipment notification for tracking 1Z3E3Y455385714188
• Subject: Missed shipment notification for tracking 1Z3E3Y467162818355
• Subject: Missed shipment notification for tracking 1Z4E4Y081222473762
• Subject: Missed shipment notification for tracking 1Z5E5Y447181473646
• Subject: Missed shipment notification for tracking 1Z5E5Y518335271373
• Subject: Missed shipment notification for tracking 1Z7E7Y001645374657
• Subject: Missed shipment notification for tracking 1Z7E7Y336772678722
• Subject: Missed shipment notification for tracking 1Z7E7Y622537408346
• Subject: Missed shipment notification for tracking 1Z7E7Y748168687516
• Subject: Missed shipping notification for tracking 1Z0E0Y840728665734
• Subject: Missed shipping notification for tracking 1Z1E1Y582275128776
• Subject: Missed shipping notification for tracking 1Z2E2Y121305450370
• Subject: Missed shipping notification for tracking 1Z4E4Y823118685041
• Subject: Missed shipping notification for tracking 1Z5E5Y470388525475
• Subject: Missed shipping notification for tracking 1Z8E8Y358855056462

 

Shown above:  Malicious Word document from link in the malspam.

 

TRAFFIC

Shown above:  Traffic from the infection filtered in Wireshark.

 

Shown above:  Example of HTTPS post-infection traffic caused by Zeus Panda Banker to tontrumuchtors[.]com in Fiddler.

 

LINKS IN THE EMAILS TO THE WORD DOCUMENT:

• 10stepstoyes[.]org - GET /n.php?lwq716=[recipient's email address]
• 10stepstoyes[.]net - GET /n.php?bdl087=[recipient's email address]
• 10stepstoyes[.]net - GET /n.php?clq230=[recipient's email address]
• 10stepstoyes[.]net - GET /n.php?isv441=[recipient's email address]
• 10stepstoyes[.]net - GET /n.php?vkm736=[recipient's email address]
• bostonproductliabilitylawblog[.]com - GET /n.php?jyv248=[recipient's email address]
• bostonproductliabilitylawblog[.]com - GET /n.php?qda632=[recipient's email address]
• bostonwrongfuldeathblog[.]com - GET /n.php?kvw473=[recipient's email address]
• bostonwrongfuldeathblog[.]com - GET /n.php?otz160=[recipient's email address]
• bostonwrongfuldeathlaw[.]com - GET /n.php?swe215=[recipient's email address]
• consumerrightslawblog[.]com - GET /n.php?ffj058=[recipient's email address]
• consumerrightslawblog[.]com - GET /n.php?muc827=[recipient's email address]
• consumerrightslawyerblog[.]com - GET /n.php?ihr358=[recipient's email address]
• misterstreetsigns[.]com - GET /n.php?div334=[recipient's email address]
• misterstreetsigns[.]com - GET /n.php?njb664=[recipient's email address]
• securedorderluinc[.]com - GET /n.php?ofm047=[recipient's email address]
• securedorderluinc[.]com - GET /n.php?tip557=[recipient's email address]
• tenstepstoyes[.]com - GET /n.php?ygu010=[recipient's email address]
• tenstepstoyes[.]net - GET /n.php?btz727=recipient's email address]
• tenstepstoyes[.]net - GET /n.php?qea402=[recipient's email address]
• tenstepstoyes[.]net - GET /n.php?tca876=[recipient's email address]
• tortlawblog[.]com - GET /n.php?fux618=[recipient's email address]
• tortlawblog[.]com - GET /n.php?jgk834=[recipient's email address]
• tortlawblog[.]com - GET /n.php?ofs637=[recipient's email address]
• tortlawblog[.]com - GET /n.php?rsm475=[recipient's email address]

NAME FOR THE MALICIOUS WORD DOCUMENT:

• notice_[six random digits].doc

POST-INFECTION TRAFFIC FROM MY INFECTED HOST:

• 141.101.196[.]80 port 80 - notheccodidn[.]com - POST /ls5/forum.php
• 141.101.196[.]80 port 80 - notheccodidn[.]com - POST /mlu/forum.php
• 141.101.196[.]80 port 80 - notheccodidn[.]com - POST /d2/about.php
• 62.233.65[.]78 port 80 - sanginpayeh[.]com - GET /1
• 62.233.65[.]78 port 80 - sanginpayeh[.]com - GET /2
• 62.233.65[.]78 port 80 - sanginpayeh[.]com - GET /3
• 69.195.124[.]131 port 80 - launchinlevi[.]com - GET /1
• 69.195.124[.]131 port 80 - launchinlevi[.]com - GET /2
• 69.195.124[.]131 port 80 - launchinlevi[.]com - GET /3
• 136.243.11[.]201 port 80 - webtarahan[.]ir - GET /1
• 136.243.11[.]201 port 80 - webtarahan[.]ir - GET /2
• 136.243.11[.]201 port 80 - webtarahan[.]ir - GET /3
• 164.132.28[.]118 port 443 - tontrumuchtors[.]com - HTTPS/SSL/TLS traffic
• 164.132.102[.]162 port 80 - rugoheset[.]ru - POST /ls5/forum.php
• api.ipify[.]org - GET /

 

FILE HASHES

WORD DOCUMENT FROM LINK IN THE EMAIL:

• SHA256 hash:  e4984fb2fb373ff4ceaf3f6cc40dbfdb092a03df8a58f123136761e821c0cc99
  File name:  notice_998780.doc
  File size:  193,024 bytes
  File description:  Hancitor maldoc

MALWARE RETRIEVED FROM THE INFECTED HOST:

• SHA256 hash:  8646acb4bc76aa2221b3fd885305937710f90866f61139d08bee44d3b22902b8
  File location:  C:\Users\[username]\AppData\Local\Temp\BN8CC2.tmp
  File location:  C:\Users\[username]\AppData\Roaming\[random existing path]\[random name].exe
  File size:  172,544 bytes
  File description:  Zeus Panda Banker

Shown above:  Example of post-infection malware, Zeus Panda Banker.  Zeus Panda Banker saves itself to the infected host in as a random name to a
random existing directory path under the user's AppData\Roaming folder.

 

Click here to return to the main page.