2017-11-21 - HANCITOR MALSPAM - NOW SEEING ICEDID BANKING TROJAN (NOT ZEUS PANDA BANKER)

ASSOCIATED FILES:

• Zip archive of the pcap:  2017-11-21-Hancitor-malspam-traffic.pcap.zip   1.7 MB (1,699,032 bytes)

• 2017-11-21-Hancitor-malspam-traffic.pcap   (1,987,090 bytes)

• Zip archive of the malware:  2017-11-21-Hancitor-malspam-example-and-artifacts.zip   509 kB (508,831 bytes)

• 2017-11-21-Hancitor-malspam-example.eml   (7,725 bytes)
• BN2886.tmp   (77,824 bytes)
• atctaachi.exe   (344,064 bytes)
• invoice_653074.doc   (321,024 bytes)

 

NOTES:

• There's still Pony and Evil Pony (both file-less) being downloaded by Hancitor, but no more Zeus Panda Banker
• Instead, I saw a file downloader grabbing the IcedID banking Trojan.

Shown above:  How I understand the current infection chain.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains and URLs:

• 511boots.com
• globalretailconcepts.com
• packin-tee.com
• packin-tees.com
• packintee.com
• packintee.net
• ridgeoutdoors.net
• swatfootwear.com
• usroute66popcorn.com

• fortroledin.com
• himsedtione.ru
• hxxp://artifexbygg.se/wp-content/plugins/easyrotator-for-wordpress/1
• hxxp://artifexbygg.se/wp-content/plugins/easyrotator-for-wordpress/2
• hxxp://artifexbygg.se/wp-content/plugins/easyrotator-for-wordpress/3
• hxxp://artifexbygg.se/wp-content/plugins/easyrotator-for-wordpress/4
• hxxp://kbentertainmentanddesign.com/wp-content/plugins/easyrotator-for-wordpress/1
• hxxp://kbentertainmentanddesign.com/wp-content/plugins/easyrotator-for-wordpress/2
• hxxp://kbentertainmentanddesign.com/wp-content/plugins/easyrotator-for-wordpress/3
• hxxp://kbentertainmentanddesign.com/wp-content/plugins/easyrotator-for-wordpress/4
• fortroledin.com
• agaratas.com
• atlanimeday.com
• gooblesooq.com

 

EMAILS

Shown above:  Screenshot from one of the emails.

 

EMAIL HEADERS:

• Date/Time:  Tuesday 2017-11-21 as early as 15:29 UTC through at least 16:48 UTC
• Subject:  Your confirmation for HoldMail Service request
• From:  "US Postal Service" <mailhold@usapack.com>

• Received: from usapack.com ([12.22.103.35])
• Received: from usapack.com ([12.54.23.2])
• Received: from usapack.com ([12.94.151.102])
• Received: from usapack.com ([12.162.129.58])
• Received: from usapack.com ([12.187.34.75])
• Received: from usapack.com ([12.202.108.99])
• Received: from usapack.com ([23.99.83.245])
• Received: from usapack.com ([50.58.211.106])
• Received: from usapack.com ([50.226.203.178])
• Received: from usapack.com ([64.203.236.7])
• Received: from usapack.com ([67.91.179.36])
• Received: from usapack.com ([70.25.0.247])
• Received: from usapack.com ([71.119.122.65])
• Received: from usapack.com ([72.4.5.34])
• Received: from usapack.com ([74.81.115.46])
• Received: from usapack.com ([74.205.144.158])
• Received: from usapack.com ([75.145.28.141])
• Received: from usapack.com ([97.65.11.98])
• Received: from usapack.com ([97.68.33.27])
• Received: from usapack.com ([103.60.214.196])
• Received: from usapack.com ([104.201.90.210])
• Received: from usapack.com ([162.222.234.111])
• Received: from usapack.com ([162.245.37.122])
• Received: from usapack.com ([162.255.200.138])
• Received: from usapack.com ([170.249.183.166])
• Received: from usapack.com ([172.110.242.150])
• Received: from usapack.com ([184.2.65.4])
• Received: from usapack.com ([184.69.205.206])
• Received: from usapack.com ([187.157.157.210])
• Received: from usapack.com ([192.92.4.16])
• Received: from usapack.com ([204.195.154.167])
• Received: from usapack.com ([207.58.222.34])
• Received: from usapack.com ([207.201.212.250])
• Received: from usapack.com ([209.37.252.130])
• Received: from usapack.com ([209.251.144.44])
• Received: from usapack.com (16.radissonjdc.netexpress.net [64.22.213.241])
• Received: from usapack.com (24-182-216-82.static.ftwo.tx.charter.com [24.182.216.82])
• Received: from usapack.com (24-183-26-75.dhcp.fdul.wi.charter.com [24.183.26.75])
• Received: from usapack.com (24-197-86-42.static.mtgm.al.charter.com [24.197.86.42])
• Received: from usapack.com (24-240-172-42.static.hckr.nc.charter.com [24.240.172.42])
• Received: from usapack.com (45-18-17-125.lightspeed.irvnca.sbcglobal.net [45.18.17.125])
• Received: from usapack.com (50-73-11-141-richmond.hfc.comcastbusiness.net [50.73.11.141])
• Received: from usapack.com (50-77-19-245-static.hfc.comcastbusiness.net [50.77.19.245])
• Received: from usapack.com (50-78-130-206-static.hfc.comcastbusiness.net [50.78.130.206])
• Received: from usapack.com (50-78-81-125-static.hfc.comcastbusiness.net [50.78.81.125])
• Received: from usapack.com (50-198-118-121-static.hfc.comcastbusiness.net [50.198.118.121])
• Received: from usapack.com (50-243-20-193-static.hfc.comcastbusiness.net [50.243.20.193])
• Received: from usapack.com (50-255-125-165-static.hfc.comcastbusiness.net [50.255.125.165])
• Received: from usapack.com (66-193-155-98.static.twtelecom.net [66.193.155.98])
• Received: from usapack.com (70-89-79-149-Georgia.hfc.comcastbusiness.net [70.89.79.149])
• Received: from usapack.com (71-12-100-6.static.mtgm.al.charter.com [71.12.100.6])
• Received: from usapack.com (71-15-21-35.dhcp.ahvl.nc.charter.com [71.15.21.35])
• Received: from usapack.com (75.97.231.135.res-cmts.leh.ptd.net [75.97.231.135])
• Received: from usapack.com (96-18-238-179.cpe.cableone.net [96.18.238.179])
• Received: from usapack.com (96-37-147-182.static.leds.al.charter.com [96.37.147.182])
• Received: from usapack.com (96-68-207-122-static.hfc.comcastbusiness.net [96.68.207.122])
• Received: from usapack.com (96-84-197-194-static.hfc.comcastbusiness.net [96.84.197.194])
• Received: from usapack.com (96-95-178-9-static.hfc.comcastbusiness.net [96.95.178.9])
• Received: from usapack.com (97-88-126-215.dhcp.stls.mo.charter.com [97.88.126.215])
• Received: from usapack.com (99-32-253-114.lightspeed.rlghnc.sbcglobal.net [99.32.253.114])
• Received: from usapack.com (173-9-179-53-miami.txt.hfc.comcastbusiness.net [173.9.179.53])
• Received: from usapack.com (173-219-110-68.end1cmtc01.com.sta.suddenlink.net [173.219.110.68])
• Received: from usapack.com (174-126-103-159.cpe.cableone.net [174.126.103.159])
• Received: from usapack.com (adsl-69-232-81-238.dsl.sndg02.pacbell.net [69.232.81.238])
• Received: from usapack.com (adsl-76-237-148-143.dsl.chcgil.sbcglobal.net [76.237.148.143])
• Received: from usapack.com (adsl-99-64-219-166.dsl.stl2mo.sbcglobal.net [99.64.219.166])
• Received: from usapack.com (archiver.seacrestservices.com [72.17.199.254])
• Received: from usapack.com (business-188-142-224-217.business.broadband.hu [188.142.224.217])
• Received: from usapack.com (cpe-static-negastroenterologyofhonesdale-rtr.cmts.haw.ptd.net [24.238.61.74])
• Received: from usapack.com (cpe6-168.sweetwaterhsa.com [206.217.6.169])
• Received: from usapack.com (figaro.chrr.ohio-state.edu [140.254.199.23])
• Received: from usapack.com (h69-129-179-181.nwblwi.dedicated.static.tds.net [69.129.179.181])
• Received: from usapack.com (ip21-69.neill.net [208.245.21.69])
• Received: from usapack.com (mail.KTDesigngroup.com [70.61.145.82])
• Received: from usapack.com (mail.shopeconcrete.com [70.89.139.233])
• Received: from usapack.com (mail2.communityautomotive.com [173.162.49.233])
• Received: from usapack.com (modemcable074.248-70-69.static.videotron.ca [69.70.248.74])
• Received: from usapack.com (ool-addc3ac2.static.optonline.net [173.220.58.194])
• Received: from usapack.com (pool-71-161-196-16.burl.east.myfairpoint.net [71.161.196.16])
• Received: from usapack.com (remote.aaablastcote.com [12.193.182.66])
• Received: from usapack.com (rrcs-50-84-166-122.sw.biz.rr.com [50.84.166.122])
• Received: from usapack.com (rrcs-69-193-167-218.nyc.biz.rr.com [69.193.167.218])
• Received: from usapack.com (rrcs-70-60-26-78.central.biz.rr.com [70.60.26.78])
• Received: from usapack.com (rrcs-72-43-170-166.nyc.biz.rr.com [72.43.170.166])
• Received: from usapack.com (rrcs-74-219-41-38.central.biz.rr.com [74.219.41.38])
• Received: from usapack.com (rrcs-97-76-154-114.se.biz.rr.com [97.76.154.114])
• Received: from usapack.com (rrcs-97-78-8-202.se.biz.rr.com [97.78.8.202])
• Received: from usapack.com (rrcs-108-176-96-162.nys.biz.rr.com [108.176.96.162])
• Received: from usapack.com (s75-152-226-254.ab.hsia.telus.net [75.152.226.254])
• Received: from usapack.com (static-72-76-45-178.nwrknj.fios.verizon.net [72.76.45.178])
• Received: from usapack.com (static-72-87-95-7.prvdri.fios.verizon.net [72.87.95.7])
• Received: from usapack.com (wsip-72-206-78-171.br.br.cox.net [72.206.78.171])
• Received: from usapack.com (wsip-98-190-50-103.hr.hr.cox.net [98.190.50.103])

 

Shown above:  Clicking on a link from one of the emails.

 

Shown above:  Malicious Word document from link in the malspam.

 

TRAFFIC

Shown above:  Traffic from the infection filtered in Wireshark.

 

LINKS IN THE EMAILS TO THE WORD DOCUMENT:

• hxxp://511boots.com?053U8i7CA3aExu533=[recipient's email address]
• hxxp://511boots.com?2U50s8c0rEc5Gaa24v=[recipient's email address]
• hxxp://511boots.com?5SUny7IZy5R=[recipient's email address]
• hxxp://511boots.com?8ErK3x0o5y6ys=[recipient's email address]
• hxxp://511boots.com?ae13aAkEh2jUsxDV=[recipient's email address]
• hxxp://511boots.com?mqAs73ko2oaa0Od=[recipient's email address]
• hxxp://511boots.com?u3=[recipient's email address]
• hxxp://511boots.com?vRYH468f3=[recipient's email address]
• hxxp://511boots.com?xe2on1jU13=[recipient's email address]
• hxxp://511boots.com?XyvYeO5f7j06uO=[recipient's email address]
• hxxp://511boots.com?YugZEUq8V4shEQX1=[recipient's email address]
• hxxp://511footwear.com?0co6AWuLyF2uK8iG=[recipient's email address]
• hxxp://511footwear.com?1Omb8EQUIb=[recipient's email address]
• hxxp://511footwear.com?32oE1iUEUU46y4uss6=[recipient's email address]
• hxxp://511footwear.com?44iVOMw1r4e3Z7=[recipient's email address]
• hxxp://511footwear.com?4ioK6a1t4sR320o0aq=[recipient's email address]
• hxxp://511footwear.com?5j5Zoc47582Faf2A3=[recipient's email address]
• hxxp://511footwear.com?6y45aqwa81l5p7AP=[recipient's email address]
• hxxp://511footwear.com?73e80VHCe14XRgEE=[recipient's email address]
• hxxp://511footwear.com?8U1x4EEavQjo4y7=[recipient's email address]
• hxxp://511footwear.com?bo0yT2f2P7=[recipient's email address]
• hxxp://511footwear.com?jE5qZ=[recipient's email address]
• hxxp://511footwear.com?jtI1U3aofU106iE=[recipient's email address]
• hxxp://511footwear.com?Oeaajy6OyQiR0oDY=[recipient's email address]
• hxxp://511footwear.com?VUym=[recipient's email address]
• hxxp://511footwear.com?x8AlU708hNxuiFG0y=[recipient's email address]
• hxxp://511footwear.com?Zezt0P4ipU8d=[recipient's email address]
• hxxp://globalretailconcepts.com?4ZY2U0y057gyi4o6P=[recipient's email address]
• hxxp://globalretailconcepts.com?5qEJy=[recipient's email address]
• hxxp://globalretailconcepts.com?63dAdeAhLYs2x=[recipient's email address]
• hxxp://globalretailconcepts.com?CoG04ozg276yv3=[recipient's email address]
• hxxp://globalretailconcepts.com?eA0sIociq2UYEaYN4j=[recipient's email address]
• hxxp://globalretailconcepts.com?I3AOQfk0U07hiI4Z47=[recipient's email address]
• hxxp://globalretailconcepts.com?jA0j0836B163q1E0=[recipient's email address]
• hxxp://globalretailconcepts.com?Kg8i1u7jKt0kSF22C3=[recipient's email address]
• hxxp://globalretailconcepts.com?OmUj77X810MC=[recipient's email address]
• hxxp://globalretailconcepts.com?pA6swt8OipOl=[recipient's email address]
• hxxp://globalretailconcepts.com?r7VcH2f5li8=[recipient's email address]
• hxxp://packin-tee.com?0IF78meOaA3AC2A6A=[recipient's email address]
• hxxp://packin-tee.com?24AEsyijxRu8EDIuo=[recipient's email address]
• hxxp://packin-tee.com?277sxO3I52Qyh=[recipient's email address]
• hxxp://packin-tee.com?55zI7Z8UDU5zY6La=[recipient's email address]
• hxxp://packin-tee.com?eA7eGo2IL1P87v=[recipient's email address]
• hxxp://packin-tee.com?lNOG0me5T4OVHU=[recipient's email address]
• hxxp://packin-tee.com?LYn7uiZkUDJ3f4y=[recipient's email address]
• hxxp://packin-tee.com?s26Yp00uA817IK87H=[recipient's email address]
• hxxp://packin-tee.com?w6INu=[recipient's email address]
• hxxp://packin-tee.com?yv0EIu3a1iiD8u=[recipient's email address]
• hxxp://packin-tees.com?1mybEQC6=[recipient's email address]
• hxxp://packin-tees.com?1Y48856EDda6=[recipient's email address]
• hxxp://packin-tees.com?4sy8el0VmIr5N=[recipient's email address]
• hxxp://packin-tees.com?642Oxo8eSQ5s1K=[recipient's email address]
• hxxp://packin-tees.com?8sT7IagA331=[recipient's email address]
• hxxp://packin-tees.com?AxeeFy2W840=[recipient's email address]
• hxxp://packin-tees.com?C06ECjyGz4sEeH=[recipient's email address]
• hxxp://packin-tees.com?DeH3QG5Lxk6NT0=[recipient's email address]
• hxxp://packin-tees.com?f73IeYUm1dUDeQx=[recipient's email address]
• hxxp://packin-tees.com?G0w7p27B58m3z45=[recipient's email address]
• hxxp://packin-tees.com?Jiq=[recipient's email address]
• hxxp://packin-tees.com?XafY3m2O=[recipient's email address]
• hxxp://packintee.com?0114SEmee0oa888=[recipient's email address]
• hxxp://packintee.com?6xOJdm0Ur6EyXEpA8=[recipient's email address]
• hxxp://packintee.com?8y31yzg0LozDZ6E=[recipient's email address]
• hxxp://packintee.com?A7156Fkuo5=[recipient's email address]
• hxxp://packintee.com?B4YhINue7a2=[recipient's email address]
• hxxp://packintee.com?d7a8YPmO=[recipient's email address]
• hxxp://packintee.com?fe6oBaEOkiGJ5iIVl=[recipient's email address]
• hxxp://packintee.com?fkHP3oBK1ICxCAFU0=[recipient's email address]
• hxxp://packintee.com?G2j=[recipient's email address]
• hxxp://packintee.com?MZ0Mxa2gUerM66U=[recipient's email address]
• hxxp://packintee.com?xIzuo=[recipient's email address]
• hxxp://packintee.net?20psdIxaF0OQ218wu=[recipient's email address]
• hxxp://packintee.net?3mu4uNuKA8IS1=[recipient's email address]
• hxxp://packintee.net?60nAzAJiUOuO3G=[recipient's email address]
• hxxp://packintee.net?7ZEOLhuIPz1fI3U=[recipient's email address]
• hxxp://packintee.net?D6EO602tiT0YEG=[recipient's email address]
• hxxp://packintee.net?o8Ena6q525em=[recipient's email address]
• hxxp://packintee.net?Y2E173KGuu68EYya11=[recipient's email address]
• hxxp://packintee.net?zYh7H4Bo203Zu7=[recipient's email address]
• hxxp://ridgeoutdoors.net?0d3143SD7E30KP3=[recipient's email address]
• hxxp://ridgeoutdoors.net?0SICYg6a0ULE47l=[recipient's email address]
• hxxp://ridgeoutdoors.net?0V7i03haU2io4o=[recipient's email address]
• hxxp://ridgeoutdoors.net?30e6o8W6Ak4l125=[recipient's email address]
• hxxp://ridgeoutdoors.net?4AOON5NFYhZ=[recipient's email address]
• hxxp://ridgeoutdoors.net?4u8kE3AkAa=[recipient's email address]
• hxxp://ridgeoutdoors.net?8l1Q5P2EWu688=[recipient's email address]
• hxxp://ridgeoutdoors.net?gi03Oxu5YJ8co6G4=[recipient's email address]
• hxxp://ridgeoutdoors.net?IXyuE8pwKqDU=[recipient's email address]
• hxxp://ridgeoutdoors.net?QAFG1248KlMOh01YZ=[recipient's email address]
• hxxp://ridgeoutdoors.net?s71e8ycdJeBIR551M=[recipient's email address]
• hxxp://ridgeoutdoors.net?VaY1A3URUEQiuUefcu=[recipient's email address]
• hxxp://ridgeoutdoors.net?x6BFYvY68=[recipient's email address]
• hxxp://ridgeoutdoors.net?Y0bP=[recipient's email address]
• hxxp://ridgeoutdoors.net?y8oI7piH8u=[recipient's email address]
• hxxp://swatfootwear.com?28=[recipient's email address]
• hxxp://swatfootwear.com?2h40be52tNo4J07=[recipient's email address]
• hxxp://swatfootwear.com?3418X2=[recipient's email address]
• hxxp://swatfootwear.com?3jOA4cu4O8=[recipient's email address]
• hxxp://swatfootwear.com?4Usx7UBgPIcIFoS=[recipient's email address]
• hxxp://swatfootwear.com?5124No576B14P=[recipient's email address]
• hxxp://swatfootwear.com?74EthUe5ez2f3=[recipient's email address]
• hxxp://swatfootwear.com?aUG8tOm80C=[recipient's email address]
• hxxp://swatfootwear.com?b7vi5UIAeuhUNQ2=[recipient's email address]
• hxxp://swatfootwear.com?detE7Za71s33P64=[recipient's email address]
• hxxp://swatfootwear.com?KE5a2lA7M2dU5u6N=[recipient's email address]
• hxxp://swatfootwear.com?na04m1Jo31=[recipient's email address]
• hxxp://swatfootwear.com?nUyis1D7A=[recipient's email address]
• hxxp://swatfootwear.com?ta6OB0XYm=[recipient's email address]
• hxxp://swatfootwear.com?TO0aZ4y12Co=[recipient's email address]
• hxxp://swatfootwear.com?wuU61t3=[recipient's email address]
• hxxp://swatfootwear.com?Yox1AEqUfH=[recipient's email address]
• hxxp://usroute66popcorn.com?0Zv6s36RpZaDhOc=[recipient's email address]
• hxxp://usroute66popcorn.com?2tj4w68MRk=[recipient's email address]
• hxxp://usroute66popcorn.com?7o8p8gy7ba2yE0CS0=[recipient's email address]
• hxxp://usroute66popcorn.com?8E64e4J=[recipient's email address]
• hxxp://usroute66popcorn.com?8iUacUAHO78M=[recipient's email address]
• hxxp://usroute66popcorn.com?EE86KEVTjd58a7ATy=[recipient's email address]
• hxxp://usroute66popcorn.com?P6SYKyUjh=[recipient's email address]
• hxxp://usroute66popcorn.com?YP618if15JV6PyGaQG=[recipient's email address]

NETWORK TRAFFIC FROM MY INFECTED LAB HOST:

• 45.76.37.60 port 80 - usroute66popcorn.com - GET /?P6SYKyUjh=[recipient's email address]
• api.ipify.org - GET /
• 91.221.37.38 port 80 - fortroledin.com - POST /ls5/forum.php
• 185.111.107.150 port 80 - himsedtione.ru - POST /ls5/forum.php
• 185.111.107.150 port 80 - himsedtione.ru - POST /mlu/forum.php
• 31.216.35.44 port 80 - artifexbygg.se - GET /wp-content/plugins/easyrotator-for-wordpress/1
• 31.216.35.44 port 80 - artifexbygg.se - GET /wp-content/plugins/easyrotator-for-wordpress/2
• 31.216.35.44 port 80 - artifexbygg.se - GET /wp-content/plugins/easyrotator-for-wordpress/4
• 96.0.148.2 port 80 - kbentertainmentanddesign.com - GET /wp-content/plugins/easyrotator-for-wordpress/2
• 96.0.148.2 port 80 - kbentertainmentanddesign.com - GET /wp-content/plugins/easyrotator-for-wordpress/4
• 91.221.37.38 port 80 - fortroledin.com - POST /d2/about.php
• 185.153.198.40 port 80 - agaratas.com - GET /docs/new?id=84AC83F50000000E   [file downloader retrieving IcedID banking Trojan]
• 185.5.251.33 port 443 - atlanimeday.com - HTTPS/SSL/TLS traffic (IcedID banking Trojan)
• 185.5.251.33 port 443 - localhost - HTTPS/SSL/TLS traffic (IcedID banking Trojan)
• 185.127.26.227 port 443 - gooblesooq.com - HTTPS/SSL/TLS traffic (IcedID banking Trojan)
• 185.127.26.227 port 443 - localhost - HTTPS/SSL/TLS traffic (IcedID banking Trojan)

 

FILE HASHES

MALWARE RETRIEVED FROM THE INFECTED HOST:

• SHA256 hash:  5d3651d7ee057156eabf329b198a46c19a51212ed034cc649a2edb6f3822ef13
  File size:  321,024 bytes
  File name:  invoice_[6 random digits].doc
  File description:  Word document with macros for Hancitor

• SHA256 hash:  2a6e8d001a8f7783ea07df1e4bcd83d1551a70f954b72293a6552a178780e70a
  File size:  77,824 bytes
  File location:  C:\Users\[username]\AppData\Local\Temp\BN2886.tmp
  File description:  File downloader that grabbed the IcedID banking Trojan

• SHA256 hash:  be2181efefe936a9a7560c8914b6a7688c9fe7c2fcd7d164425d37fd7db878a8
  File size:  344,064 bytes
  File location:  C:\Users\[username]\AppData\Roaming\C08BCF4A.exe
  File location:  C:\Users\[username]\AppData\Local\atctaachi\atctaachi.exe
  File description:  IcedID banking Trojan

 

IMAGES

Shown above:  Some alerts from Sguil in Security Onion using Suricata and the EmergingThreats ruleset.

 

Shown above:  Some alerts using Snort 2.9.11 and the Snort subscription ruleset when playing back the same pcap.

 

Shown above:  IceID banking Trojan persistent on the infected Windows host.

 

FINAL NOTES

Once again, here are the associated files:

• Zip archive of the pcap:  2017-11-21-Hancitor-malspam-traffic.pcap.zip   1.7 MB (1,699,032 bytes)
• Zip archive of the malware:  2017-11-21-Hancitor-malspam-example-and-artifacts.zip   509 kB (508,831 bytes)

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.