2017-11-21 - HANCITOR INFECTION WITH ICEDID (BOKBOT)

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-11-21-Hancitor-infection-with-IcedID.pcap.zip   1.7 MB (1,699,044 bytes)

• 2017-11-21-Hancitor-infection-with-IcedID.pcap   (1,987,090 bytes)

• 2017-11-21-email-and-malware-from-Hancitor-infection.zip   509.5 kB (509,489 bytes)

• 2017-11-21-Hancitor-malspam-example.eml   (7,725 bytes)
• BN2886.tmp   (77,824 bytes)
• atctaachi.exe   (344,064 bytes)
• invoice_653074.doc   (321,024 bytes)

 

NOTES:

• There's still Pony and Evil Pony (both file-less) being downloaded by Hancitor, but no Zeus Panda Banker today
• Instead, I saw a file downloader grabbing the IcedID (Bokbot).

Shown above:  How I understand the current infection chain.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains and URLs:

• 511boots[.]com
• globalretailconcepts[.]com
• packin-tee[.]com
• packin-tees[.]com
• packintee[.]com
• packintee[.]net
• ridgeoutdoors[.]net
• swatfootwear[.]com
• usroute66popcorn[.]com

• fortroledin[.]com
• himsedtione[.]ru
• hxxp[:]//artifexbygg[.]se/wp-content/plugins/easyrotator-for-wordpress/1
• hxxp[:]//artifexbygg[.]se/wp-content/plugins/easyrotator-for-wordpress/2
• hxxp[:]//artifexbygg[.]se/wp-content/plugins/easyrotator-for-wordpress/3
• hxxp[:]//artifexbygg[.]se/wp-content/plugins/easyrotator-for-wordpress/4
• hxxp[:]//kbentertainmentanddesign[.]com/wp-content/plugins/easyrotator-for-wordpress/1
• hxxp[:]//kbentertainmentanddesign[.]com/wp-content/plugins/easyrotator-for-wordpress/2
• hxxp[:]//kbentertainmentanddesign[.]com/wp-content/plugins/easyrotator-for-wordpress/3
• hxxp[:]//kbentertainmentanddesign[.]com/wp-content/plugins/easyrotator-for-wordpress/4
• fortroledin[.]com
• agaratas[.]com
• atlanimeday[.]com
• gooblesooq[.]com

 

EMAILS

Shown above:  Screenshot from one of the emails.

 

EMAIL HEADERS:

• Date/Time:  Tuesday 2017-11-21 as early as 15:29 UTC through at least 16:48 UTC
• Subject:  Your confirmation for HoldMail Service request
• From:  "US Postal Service" <mailhold@usapack[.]com>

• Received: from usapack[.]com ([12.22.103[.]35])
• Received: from usapack[.]com ([12.54.23[.]2])
• Received: from usapack[.]com ([12.94.151[.]102])
• Received: from usapack[.]com ([12.162.129[.]58])
• Received: from usapack[.]com ([12.187.34[.]75])
• Received: from usapack[.]com ([12.202.108[.]99])
• Received: from usapack[.]com ([23.99.83[.]245])
• Received: from usapack[.]com ([50.58.211[.]106])
• Received: from usapack[.]com ([50.226.203[.]178])
• Received: from usapack[.]com ([64.203.236[.]7])
• Received: from usapack[.]com ([67.91.179[.]36])
• Received: from usapack[.]com ([70.25.0[.]247])
• Received: from usapack[.]com ([71.119.122[.]65])
• Received: from usapack[.]com ([72.4.5[.]34])
• Received: from usapack[.]com ([74.81.115[.]46])
• Received: from usapack[.]com ([74.205.144[.]158])
• Received: from usapack[.]com ([75.145.28[.]141])
• Received: from usapack[.]com ([97.65.11[.]98])
• Received: from usapack[.]com ([97.68.33[.]27])
• Received: from usapack[.]com ([103.60.214[.]196])
• Received: from usapack[.]com ([104.201.90[.]210])
• Received: from usapack[.]com ([162.222.234[.]111])
• Received: from usapack[.]com ([162.245.37[.]122])
• Received: from usapack[.]com ([162.255.200[.]138])
• Received: from usapack[.]com ([170.249.183[.]166])
• Received: from usapack[.]com ([172.110.242[.]150])
• Received: from usapack[.]com ([184.2.65[.]4])
• Received: from usapack[.]com ([184.69.205[.]206])
• Received: from usapack[.]com ([187.157.157[.]210])
• Received: from usapack[.]com ([192.92.4[.]16])
• Received: from usapack[.]com ([204.195.154[.]167])
• Received: from usapack[.]com ([207.58.222[.]34])
• Received: from usapack[.]com ([207.201.212[.]250])
• Received: from usapack[.]com ([209.37.252[.]130])
• Received: from usapack[.]com ([209.251.144[.]44])
• Received: from usapack[.]com (16.radissonjdc.netexpress[.]net [64.22.213[.]241])
• Received: from usapack[.]com (24-182-216-82.static.ftwo.tx.charter[.]com [24.182.216[.]82])
• Received: from usapack[.]com (24-183-26-75.dhcp.fdul.wi.charter[.]com [24.183.26[.]75])
• Received: from usapack[.]com (24-197-86-42.static.mtgm.al.charter[.]com [24.197.86[.]42])
• Received: from usapack[.]com (24-240-172-42.static.hckr.nc.charter[.]com [24.240.172[.]42])
• Received: from usapack[.]com (45-18-17-125.lightspeed.irvnca.sbcglobal[.]net [45.18.17[.]125])
• Received: from usapack[.]com (50-73-11-141-richmond.hfc.comcastbusiness[.]net [50.73.11[.]141])
• Received: from usapack[.]com (50-77-19-245-static.hfc.comcastbusiness[.]net [50.77.19[.]245])
• Received: from usapack[.]com (50-78-130-206-static.hfc.comcastbusiness[.]net [50.78.130[.]206])
• Received: from usapack[.]com (50-78-81-125-static.hfc.comcastbusiness[.]net [50.78.81[.]125])
• Received: from usapack[.]com (50-198-118-121-static.hfc.comcastbusiness[.]net [50.198.118[.]121])
• Received: from usapack[.]com (50-243-20-193-static.hfc.comcastbusiness[.]net [50.243.20[.]193])
• Received: from usapack[.]com (50-255-125-165-static.hfc.comcastbusiness[.]net [50.255.125[.]165])
• Received: from usapack[.]com (66-193-155-98.static.twtelecom[.]net [66.193.155[.]98])
• Received: from usapack[.]com (70-89-79-149-Georgia.hfc.comcastbusiness[.]net [70.89.79[.]149])
• Received: from usapack[.]com (71-12-100-6.static.mtgm.al.charter[.]com [71.12.100[.]6])
• Received: from usapack[.]com (71-15-21-35.dhcp.ahvl.nc.charter[.]com [71.15.21[.]35])
• Received: from usapack[.]com (75.97.231.135.res-cmts.leh.ptd[.]net [75.97.231[.]135])
• Received: from usapack[.]com (96-18-238-179.cpe.cableone[.]net [96.18.238[.]179])
• Received: from usapack[.]com (96-37-147-182.static.leds.al.charter[.]com [96.37.147[.]182])
• Received: from usapack[.]com (96-68-207-122-static.hfc.comcastbusiness[.]net [96.68.207[.]122])
• Received: from usapack[.]com (96-84-197-194-static.hfc.comcastbusiness[.]net [96.84.197[.]194])
• Received: from usapack[.]com (96-95-178-9-static.hfc.comcastbusiness[.]net [96.95.178[.]9])
• Received: from usapack[.]com (97-88-126-215.dhcp.stls.mo.charter[.]com [97.88.126[.]215])
• Received: from usapack[.]com (99-32-253-114.lightspeed.rlghnc.sbcglobal[.]net [99.32.253[.]114])
• Received: from usapack[.]com (173-9-179-53-miami.txt.hfc.comcastbusiness[.]net [173.9.179[.]53])
• Received: from usapack[.]com (173-219-110-68.end1cmtc01[.]com.sta.suddenlink[.]net [173.219.110[.]68])
• Received: from usapack[.]com (174-126-103-159.cpe.cableone[.]net [174.126.103[.]159])
• Received: from usapack[.]com (adsl-69-232-81-238.dsl.sndg02.pacbell[.]net [69.232.81[.]238])
• Received: from usapack[.]com (adsl-76-237-148-143.dsl.chcgil.sbcglobal[.]net [76.237.148[.]143])
• Received: from usapack[.]com (adsl-99-64-219-166.dsl.stl2mo.sbcglobal[.]net [99.64.219[.]166])
• Received: from usapack[.]com (archiver.seacrestservices[.]com [72.17.199[.]254])
• Received: from usapack[.]com (business-188-142-224-217.business.broadband[.]hu [188.142.224[.]217])
• Received: from usapack[.]com (cpe-static-negastroenterologyofhonesdale-rtr.cmts.haw.ptd[.]net [24.238.61[.]74])
• Received: from usapack[.]com (cpe6-168.sweetwaterhsa[.]com [206.217.6[.]169])
• Received: from usapack[.]com (figaro.chrr.ohio-state[.]edu [140.254.199[.]23])
• Received: from usapack[.]com (h69-129-179-181.nwblwi.dedicated.static.tds[.]net [69.129.179[.]181])
• Received: from usapack[.]com (ip21-69.neill[.]net [208.245.21[.]69])
• Received: from usapack[.]com (mail.KTDesigngroup[.]com [70.61.145[.]82])
• Received: from usapack[.]com (mail.shopeconcrete[.]com [70.89.139[.]233])
• Received: from usapack[.]com (mail2.communityautomotive[.]com [173.162.49[.]233])
• Received: from usapack[.]com (modemcable074.248-70-69.static.videotron[.]ca [69.70.248[.]74])
• Received: from usapack[.]com (ool-addc3ac2.static.optonline[.]net [173.220.58[.]194])
• Received: from usapack[.]com (pool-71-161-196-16.burl.east.myfairpoint[.]net [71.161.196[.]16])
• Received: from usapack[.]com (remote.aaablastcote[.]com [12.193.182[.]66])
• Received: from usapack[.]com (rrcs-50-84-166-122.sw.biz.rr[.]com [50.84.166[.]122])
• Received: from usapack[.]com (rrcs-69-193-167-218.nyc.biz.rr[.]com [69.193.167[.]218])
• Received: from usapack[.]com (rrcs-70-60-26-78.central.biz.rr[.]com [70.60.26[.]78])
• Received: from usapack[.]com (rrcs-72-43-170-166.nyc.biz.rr[.]com [72.43.170[.]166])
• Received: from usapack[.]com (rrcs-74-219-41-38.central.biz.rr[.]com [74.219.41[.]38])
• Received: from usapack[.]com (rrcs-97-76-154-114.se.biz.rr[.]com [97.76.154[.]114])
• Received: from usapack[.]com (rrcs-97-78-8-202.se.biz.rr[.]com [97.78.8[.]202])
• Received: from usapack[.]com (rrcs-108-176-96-162.nys.biz.rr[.]com [108.176.96[.]162])
• Received: from usapack[.]com (s75-152-226-254.ab.hsia.telus[.]net [75.152.226[.]254])
• Received: from usapack[.]com (static-72-76-45-178.nwrknj.fios.verizon[.]net [72.76.45[.]178])
• Received: from usapack[.]com (static-72-87-95-7.prvdri.fios.verizon[.]net [72.87.95[.]7])
• Received: from usapack[.]com (wsip-72-206-78-171.br.br.cox[.]net [72.206.78[.]171])
• Received: from usapack[.]com (wsip-98-190-50-103.hr.hr.cox[.]net [98.190.50[.]103])

 

Shown above:  Clicking on a link from one of the emails.

 

Shown above:  Malicious Word document from link in the malspam.

 

TRAFFIC

Shown above:  Traffic from the infection filtered in Wireshark.

 

LINKS IN THE EMAILS TO THE WORD DOCUMENT:

• hxxp[:]//511boots[.]com?053U8i7CA3aExu533=[recipient's email address]
• hxxp[:]//511boots[.]com?2U50s8c0rEc5Gaa24v=[recipient's email address]
• hxxp[:]//511boots[.]com?5SUny7IZy5R=[recipient's email address]
• hxxp[:]//511boots[.]com?8ErK3x0o5y6ys=[recipient's email address]
• hxxp[:]//511boots[.]com?ae13aAkEh2jUsxDV=[recipient's email address]
• hxxp[:]//511boots[.]com?mqAs73ko2oaa0Od=[recipient's email address]
• hxxp[:]//511boots[.]com?u3=[recipient's email address]
• hxxp[:]//511boots[.]com?vRYH468f3=[recipient's email address]
• hxxp[:]//511boots[.]com?xe2on1jU13=[recipient's email address]
• hxxp[:]//511boots[.]com?XyvYeO5f7j06uO=[recipient's email address]
• hxxp[:]//511boots[.]com?YugZEUq8V4shEQX1=[recipient's email address]
• hxxp[:]//511footwear[.]com?0co6AWuLyF2uK8iG=[recipient's email address]
• hxxp[:]//511footwear[.]com?1Omb8EQUIb=[recipient's email address]
• hxxp[:]//511footwear[.]com?32oE1iUEUU46y4uss6=[recipient's email address]
• hxxp[:]//511footwear[.]com?44iVOMw1r4e3Z7=[recipient's email address]
• hxxp[:]//511footwear[.]com?4ioK6a1t4sR320o0aq=[recipient's email address]
• hxxp[:]//511footwear[.]com?5j5Zoc47582Faf2A3=[recipient's email address]
• hxxp[:]//511footwear[.]com?6y45aqwa81l5p7AP=[recipient's email address]
• hxxp[:]//511footwear[.]com?73e80VHCe14XRgEE=[recipient's email address]
• hxxp[:]//511footwear[.]com?8U1x4EEavQjo4y7=[recipient's email address]
• hxxp[:]//511footwear[.]com?bo0yT2f2P7=[recipient's email address]
• hxxp[:]//511footwear[.]com?jE5qZ=[recipient's email address]
• hxxp[:]//511footwear[.]com?jtI1U3aofU106iE=[recipient's email address]
• hxxp[:]//511footwear[.]com?Oeaajy6OyQiR0oDY=[recipient's email address]
• hxxp[:]//511footwear[.]com?VUym=[recipient's email address]
• hxxp[:]//511footwear[.]com?x8AlU708hNxuiFG0y=[recipient's email address]
• hxxp[:]//511footwear[.]com?Zezt0P4ipU8d=[recipient's email address]
• hxxp[:]//globalretailconcepts[.]com?4ZY2U0y057gyi4o6P=[recipient's email address]
• hxxp[:]//globalretailconcepts[.]com?5qEJy=[recipient's email address]
• hxxp[:]//globalretailconcepts[.]com?63dAdeAhLYs2x=[recipient's email address]
• hxxp[:]//globalretailconcepts[.]com?CoG04ozg276yv3=[recipient's email address]
• hxxp[:]//globalretailconcepts[.]com?eA0sIociq2UYEaYN4j=[recipient's email address]
• hxxp[:]//globalretailconcepts[.]com?I3AOQfk0U07hiI4Z47=[recipient's email address]
• hxxp[:]//globalretailconcepts[.]com?jA0j0836B163q1E0=[recipient's email address]
• hxxp[:]//globalretailconcepts[.]com?Kg8i1u7jKt0kSF22C3=[recipient's email address]
• hxxp[:]//globalretailconcepts[.]com?OmUj77X810MC=[recipient's email address]
• hxxp[:]//globalretailconcepts[.]com?pA6swt8OipOl=[recipient's email address]
• hxxp[:]//globalretailconcepts[.]com?r7VcH2f5li8=[recipient's email address]
• hxxp[:]//packin-tee[.]com?0IF78meOaA3AC2A6A=[recipient's email address]
• hxxp[:]//packin-tee[.]com?24AEsyijxRu8EDIuo=[recipient's email address]
• hxxp[:]//packin-tee[.]com?277sxO3I52Qyh=[recipient's email address]
• hxxp[:]//packin-tee[.]com?55zI7Z8UDU5zY6La=[recipient's email address]
• hxxp[:]//packin-tee[.]com?eA7eGo2IL1P87v=[recipient's email address]
• hxxp[:]//packin-tee[.]com?lNOG0me5T4OVHU=[recipient's email address]
• hxxp[:]//packin-tee[.]com?LYn7uiZkUDJ3f4y=[recipient's email address]
• hxxp[:]//packin-tee[.]com?s26Yp00uA817IK87H=[recipient's email address]
• hxxp[:]//packin-tee[.]com?w6INu=[recipient's email address]
• hxxp[:]//packin-tee[.]com?yv0EIu3a1iiD8u=[recipient's email address]
• hxxp[:]//packin-tees[.]com?1mybEQC6=[recipient's email address]
• hxxp[:]//packin-tees[.]com?1Y48856EDda6=[recipient's email address]
• hxxp[:]//packin-tees[.]com?4sy8el0VmIr5N=[recipient's email address]
• hxxp[:]//packin-tees[.]com?642Oxo8eSQ5s1K=[recipient's email address]
• hxxp[:]//packin-tees[.]com?8sT7IagA331=[recipient's email address]
• hxxp[:]//packin-tees[.]com?AxeeFy2W840=[recipient's email address]
• hxxp[:]//packin-tees[.]com?C06ECjyGz4sEeH=[recipient's email address]
• hxxp[:]//packin-tees[.]com?DeH3QG5Lxk6NT0=[recipient's email address]
• hxxp[:]//packin-tees[.]com?f73IeYUm1dUDeQx=[recipient's email address]
• hxxp[:]//packin-tees[.]com?G0w7p27B58m3z45=[recipient's email address]
• hxxp[:]//packin-tees[.]com?Jiq=[recipient's email address]
• hxxp[:]//packin-tees[.]com?XafY3m2O=[recipient's email address]
• hxxp[:]//packintee[.]com?0114SEmee0oa888=[recipient's email address]
• hxxp[:]//packintee[.]com?6xOJdm0Ur6EyXEpA8=[recipient's email address]
• hxxp[:]//packintee[.]com?8y31yzg0LozDZ6E=[recipient's email address]
• hxxp[:]//packintee[.]com?A7156Fkuo5=[recipient's email address]
• hxxp[:]//packintee[.]com?B4YhINue7a2=[recipient's email address]
• hxxp[:]//packintee[.]com?d7a8YPmO=[recipient's email address]
• hxxp[:]//packintee[.]com?fe6oBaEOkiGJ5iIVl=[recipient's email address]
• hxxp[:]//packintee[.]com?fkHP3oBK1ICxCAFU0=[recipient's email address]
• hxxp[:]//packintee[.]com?G2j=[recipient's email address]
• hxxp[:]//packintee[.]com?MZ0Mxa2gUerM66U=[recipient's email address]
• hxxp[:]//packintee[.]com?xIzuo=[recipient's email address]
• hxxp[:]//packintee[.]net?20psdIxaF0OQ218wu=[recipient's email address]
• hxxp[:]//packintee[.]net?3mu4uNuKA8IS1=[recipient's email address]
• hxxp[:]//packintee[.]net?60nAzAJiUOuO3G=[recipient's email address]
• hxxp[:]//packintee[.]net?7ZEOLhuIPz1fI3U=[recipient's email address]
• hxxp[:]//packintee[.]net?D6EO602tiT0YEG=[recipient's email address]
• hxxp[:]//packintee[.]net?o8Ena6q525em=[recipient's email address]
• hxxp[:]//packintee[.]net?Y2E173KGuu68EYya11=[recipient's email address]
• hxxp[:]//packintee[.]net?zYh7H4Bo203Zu7=[recipient's email address]
• hxxp[:]//ridgeoutdoors[.]net?0d3143SD7E30KP3=[recipient's email address]
• hxxp[:]//ridgeoutdoors[.]net?0SICYg6a0ULE47l=[recipient's email address]
• hxxp[:]//ridgeoutdoors[.]net?0V7i03haU2io4o=[recipient's email address]
• hxxp[:]//ridgeoutdoors[.]net?30e6o8W6Ak4l125=[recipient's email address]
• hxxp[:]//ridgeoutdoors[.]net?4AOON5NFYhZ=[recipient's email address]
• hxxp[:]//ridgeoutdoors[.]net?4u8kE3AkAa=[recipient's email address]
• hxxp[:]//ridgeoutdoors[.]net?8l1Q5P2EWu688=[recipient's email address]
• hxxp[:]//ridgeoutdoors[.]net?gi03Oxu5YJ8co6G4=[recipient's email address]
• hxxp[:]//ridgeoutdoors[.]net?IXyuE8pwKqDU=[recipient's email address]
• hxxp[:]//ridgeoutdoors[.]net?QAFG1248KlMOh01YZ=[recipient's email address]
• hxxp[:]//ridgeoutdoors[.]net?s71e8ycdJeBIR551M=[recipient's email address]
• hxxp[:]//ridgeoutdoors[.]net?VaY1A3URUEQiuUefcu=[recipient's email address]
• hxxp[:]//ridgeoutdoors[.]net?x6BFYvY68=[recipient's email address]
• hxxp[:]//ridgeoutdoors[.]net?Y0bP=[recipient's email address]
• hxxp[:]//ridgeoutdoors[.]net?y8oI7piH8u=[recipient's email address]
• hxxp[:]//swatfootwear[.]com?28=[recipient's email address]
• hxxp[:]//swatfootwear[.]com?2h40be52tNo4J07=[recipient's email address]
• hxxp[:]//swatfootwear[.]com?3418X2=[recipient's email address]
• hxxp[:]//swatfootwear[.]com?3jOA4cu4O8=[recipient's email address]
• hxxp[:]//swatfootwear[.]com?4Usx7UBgPIcIFoS=[recipient's email address]
• hxxp[:]//swatfootwear[.]com?5124No576B14P=[recipient's email address]
• hxxp[:]//swatfootwear[.]com?74EthUe5ez2f3=[recipient's email address]
• hxxp[:]//swatfootwear[.]com?aUG8tOm80C=[recipient's email address]
• hxxp[:]//swatfootwear[.]com?b7vi5UIAeuhUNQ2=[recipient's email address]
• hxxp[:]//swatfootwear[.]com?detE7Za71s33P64=[recipient's email address]
• hxxp[:]//swatfootwear[.]com?KE5a2lA7M2dU5u6N=[recipient's email address]
• hxxp[:]//swatfootwear[.]com?na04m1Jo31=[recipient's email address]
• hxxp[:]//swatfootwear[.]com?nUyis1D7A=[recipient's email address]
• hxxp[:]//swatfootwear[.]com?ta6OB0XYm=[recipient's email address]
• hxxp[:]//swatfootwear[.]com?TO0aZ4y12Co=[recipient's email address]
• hxxp[:]//swatfootwear[.]com?wuU61t3=[recipient's email address]
• hxxp[:]//swatfootwear[.]com?Yox1AEqUfH=[recipient's email address]
• hxxp[:]//usroute66popcorn[.]com?0Zv6s36RpZaDhOc=[recipient's email address]
• hxxp[:]//usroute66popcorn[.]com?2tj4w68MRk=[recipient's email address]
• hxxp[:]//usroute66popcorn[.]com?7o8p8gy7ba2yE0CS0=[recipient's email address]
• hxxp[:]//usroute66popcorn[.]com?8E64e4J=[recipient's email address]
• hxxp[:]//usroute66popcorn[.]com?8iUacUAHO78M=[recipient's email address]
• hxxp[:]//usroute66popcorn[.]com?EE86KEVTjd58a7ATy=[recipient's email address]
• hxxp[:]//usroute66popcorn[.]com?P6SYKyUjh=[recipient's email address]
• hxxp[:]//usroute66popcorn[.]com?YP618if15JV6PyGaQG=[recipient's email address]

NETWORK TRAFFIC FROM MY INFECTED LAB HOST:

• 45.76.37[.]60 port 80 - usroute66popcorn[.]com - GET /?P6SYKyUjh=[recipient's email address]
• api.ipify[.]org - GET /
• 91.221.37[.]38 port 80 - fortroledin[.]com - POST /ls5/forum.php
• 185.111.107[.]150 port 80 - himsedtione[.]ru - POST /ls5/forum.php
• 185.111.107[.]150 port 80 - himsedtione[.]ru - POST /mlu/forum.php
• 31.216.35[.]44 port 80 - artifexbygg[.]se - GET /wp-content/plugins/easyrotator-for-wordpress/1
• 31.216.35[.]44 port 80 - artifexbygg[.]se - GET /wp-content/plugins/easyrotator-for-wordpress/2
• 31.216.35[.]44 port 80 - artifexbygg[.]se - GET /wp-content/plugins/easyrotator-for-wordpress/4
• 96.0.148[.]2 port 80 - kbentertainmentanddesign[.]com - GET /wp-content/plugins/easyrotator-for-wordpress/2
• 96.0.148[.]2 port 80 - kbentertainmentanddesign[.]com - GET /wp-content/plugins/easyrotator-for-wordpress/4
• 91.221.37[.]38 port 80 - fortroledin[.]com - POST /d2/about.php
• 185.153.198[.]40 port 80 - agaratas[.]com - GET /docs/new?id=84AC83F50000000E   [file downloader retrieves IcedID]
• 185.5.251[.]33 port 443 - atlanimeday[.]com - HTTPS/SSL/TLS traffic (IcedID C2)
• 185.5.251[.]33 port 443 - localhost - HTTPS/SSL/TLS traffic (IcedID C2)
• 185.127.26[.]227 port 443 - gooblesooq[.]com - HTTPS/SSL/TLS traffic (IcedID C2)
• 185.127.26[.]227 port 443 - localhost - HTTPS/SSL/TLS traffic (IcedID C2)

 

FILE HASHES

MALWARE RETRIEVED FROM THE INFECTED HOST:

• SHA256 hash:  5d3651d7ee057156eabf329b198a46c19a51212ed034cc649a2edb6f3822ef13
  File size:  321,024 bytes
  File name:  invoice_[6 random digits].doc
  File description:  Word document with macros for Hancitor

• SHA256 hash:  2a6e8d001a8f7783ea07df1e4bcd83d1551a70f954b72293a6552a178780e70a
  File size:  77,824 bytes
  File location:  C:\Users\[username]\AppData\Local\Temp\BN2886.tmp
  File description:  File downloader that grabbed the IcedID (Bokbot)

• SHA256 hash:  be2181efefe936a9a7560c8914b6a7688c9fe7c2fcd7d164425d37fd7db878a8
  File size:  344,064 bytes
  File location:  C:\Users\[username]\AppData\Roaming\C08BCF4A.exe
  File location:  C:\Users\[username]\AppData\Local\atctaachi\atctaachi.exe
  File description:  IcedID (Bokbot)

 

IMAGES

Shown above:  Some alerts from Sguil in Security Onion using Suricata and the EmergingThreats ruleset.

 

Shown above:  Some alerts using Snort 2.9.11 and the Snort subscription ruleset when playing back the same pcap.

 

Shown above:  IceID persistent on the infected Windows host.

 

Click here to return to the main page.