2018-10-09 - HANCITOR INFECTION WITH ZEUS PANDA BANKER

ASSOCIATED FILES:

  • 2018-10-09-Hancitor-malspam-1459-UTC.eml   (26,787 bytes)
  • 2018-10-09-Hancitor-malspam-1502-UTC.eml   (26,831 bytes)
  • 2018-10-09-Hancitor-malspam-1608-UTC.eml   (26,780 bytes)
  • 2018-10-09-Hancitor-infection-with-Zeus-Panda-Banker.pcap   (522,205 bytes)
  • 2018-10-09-downloaded-Word-doc-with-macro-for-Hancitor.doc   (205,312 bytes)
  • 2018-10-09-Hancitor-malware-binary.exe   (66,560 bytes)
  • 2018-10-09-Zeus-Panda-Banker-caused-by-Hancitor.exe   (143,360 bytes)

NOTES:


Shown above:  Flow chart for a typical Hancitor malspam infection.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains and URLs:

 

HEADERS FROM A MALSPAM EXAMPLE


Shown above:  Screenshot from one of the emails.

 

Received: from vantibolli.com ([24.35.224.24]) by [removed] for [removed];
        Tue, 09 Oct 2018 16:06:40 +0000 (UTC)
Message-ID: <1BEAEE8F.56D173F7@vantibolli.com>
Date: Tue, 09 Oct 2018 11:08:54 -0500
From: "UPS Choice" <att@ups@vantibolli.com>
X-Mailer: iPad Mail (13E237)
MIME-Version: 1.0
To:
[removed]
Subject: Notice from UPS

 


Shown above:  Malicious Word document downloaded from link in the malspam.

 

TRAFFIC

LINKS IN THE EMAILS TO DOWNLOAD THE WORD DOCUMENT:

 


Shown above:  Traffic from an infection filtered in Wireshark.

 

TRAFFIC FROM AN INFECTED WINDOWS HOST:

 

FILE HASHES

MALWARE RETRIEVED FROM MY INFECTED WINDOWS HOST:

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.