2018-10-22 - QUICK POST: HANCITOR MALSPAM - NO ZEUS PANDA BANKER... JUST PONY

ASSOCIATED FILES:

  • 2018-10-22-Hancitor-malspam-1638-UTC.eml   (4,237 bytes)
  • 2018-10-22-Hancitor-malspam-1702-UTC.eml   (4,241 bytes)
  • 2018-10-22-Hancitor-malspam-1844-UTC.eml   (4,200 bytes)
  • 2018-10-22-Hancitor-malspam-infection-traffic.pcap   (380,858 bytes)
  • 2018-10-22-downloaded-Word-doc-with-macro-for-Hancitor.doc   (208,896 bytes)
  • 2018-10-22-Hancitor-malware-binary.exe   (73,728 bytes)
  • 2018-10-22-Fareit-Pony.dll   (71,680 bytes)

NOTES:

 

IMAGES


Shown above:  Flow chart for today's Hancitor infection (different than usual).

 


Shown above:  Screenshot from one of today's email examples.

 


Shown above:  Downloading a malicious Word doc from the email link.

 


Shown above:  Traffic from an infection filtered in Wireshark.

 


Shown above:  I saw one follow-up download for Pony.

 


Shown above:  Pony DLL found as a .tmp file on the infected Windows host.

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.