2018-08-16 - HANCITOR INFECTION TRAFFIC WITH ZEUS PANDA BANKER

ASSOCIATED FILES:

NOTES:


Shown above:  Flow chart for a typical Hancitor malspam infection.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains and URLs:

 

HEADERS FROM A MALSPAM EXAMPLE


Shown above:  Screenshot from one of the emails.

 

Received: from fallsgrovedentistry.com ([65.98.129.162]) by [removed] for [removed];
        Thu, 16 Aug 2018 17:33:44 +0000 (UTC)
Message-ID: <69C3514D.706FA590@fallsgrovedentistry.com>
Date: Thu, 16 Aug 2018 10:33:46 -0700
Reply-To: "AT&T Inc. " <att@fallsgrovedentistry.com>
From: "AT&T Inc. " <att@fallsgrovedentistry.com>
X-Mailer: iPhone Mail (11D201)
X-Accept-Language: en-us
MIME-Version: 1.0
TO:
[removed]
Subject: Your wireless invoice notification from AT&T

 


Shown above:  Malicious Word document downloaded from link in the malspam.

 

TRAFFIC

LINKS IN THE EMAILS TO DOWNLOAD THE WORD DOCUMENT:

 


Shown above:  Traffic from an infection filtered in Wireshark.

 


Shown above:  Traffic from from failed TCP connections by soutmestiho.com filtered in Wireshark.

 

TRAFFIC FROM AN INFECTED WINDOWS HOST:

 

FILE HASHES

MALWARE RETRIEVED FROM MY INFECTED WINDOWS HOST:

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.