2017-12-06 - HANCITOR MALSPAM - MORE ICEDID BANKING TROJAN (NO ZEUS PANDA BANKER)
ASSOCIATED FILES:
- Zip archive of the pcap: 2017-12-06-Hancitor-malspam-traffic.pcap.zip 1.0 MB (1,032,095 bytes)
- 2017-12-06-Hancitor-malspam-traffic.pcap (1,934,709 bytes)
- Zip archive of the emails (30 emails in one text file): 2017-12-06-Hancitor-malspam-30-emails.txt.zip 3.7 kB (3,667 bytes)
- 2017-12-06-Hancitor-malspam-30-emails.txt (34,526 bytes)
- Zip archive of the malware: 2017-12-06-malware-from-Hancitor-malspam.zip 695 kB (694,543 bytes)
- 2017-12-06-Hancitor-maldoc-invoice_491457.doc (214,528 bytes)
- 2017-12-06-IcedID-banking-Trojan-theatctaa.exe (903,168 bytes)
- 2017-12-06-binary-from-nobleduty.com.exe (825,856 bytes)
NOTES:
- Yesterday, post-infection malware from Hancitor malspam included Zeus Panda Banker. Today, it included IcedID banking Trojan.
- Of course, there's still Pony and Evil Pony (both fileless) being downloaded by Hancitor from the Word document macro.
- I previously documented IcedID from Hancitor malspam on 2017-11-21.
- There's another file similar to IcedID involved (same file icon), but I don't think it's a downloader this time.
- Not sure what the encoding is for the string that represents the recipient's email address in links from the malspam. It's not a Base64 string like we've seen before.
- Thanks to @James_inthe_box and @Techhelplistcom who published additional indicators that I've included in this report.
WEB TRAFFIC BLOCK LIST
Indicators are not a block list. If you feel the need to block web traffic, I suggest the following domains and URLs:
- artsforglobalpeaceandhealing.com
- artsforglobalpeaceandhealing.org
- ecocoutoure.com
- hrhprincessleith.com
- iaanetwork.tv
- iaanetworknews.com
- iaasearch.com
- princessleith.com
- princessleitheatonde-grimaldi.com
- princessleithofmonaco.com
- theartspost.com
- theartssearch.com
- theartsuniversity.com
- athedtburen.ru
- ronhingotlo.ru
- torsharucal.com
- hxxp://halletts.com/wp-content/plugins/wp-db-backup-made/1
- hxxp://halletts.com/wp-content/plugins/wp-db-backup-made/2
- hxxp://halletts.com/wp-content/plugins/wp-db-backup-made/3
- hxxp://mebelucci.com.ua/wp-content/plugins/bwp-google-xml-sitemaps/1
- hxxp://mebelucci.com.ua/wp-content/plugins/bwp-google-xml-sitemaps/2
- hxxp://mebelucci.com.ua/wp-content/plugins/bwp-google-xml-sitemaps/3
- hxxp://mutznutzpetcare.com/wp-content/plugins/category-posts/1
- hxxp://mutznutzpetcare.com/wp-content/plugins/category-posts/2
- hxxp://mutznutzpetcare.com/wp-content/plugins/category-posts/3
- hxxp://sgs36.ru/wp-content/plugins/lightbox-plus/1
- hxxp://sgs36.ru/wp-content/plugins/lightbox-plus/2
- hxxp://sgs36.ru/wp-content/plugins/lightbox-plus/3
- hxxp://utilitia.com/wp-content/plugins/custom-post-type-ui/1
- hxxp://utilitia.com/wp-content/plugins/custom-post-type-ui/2
- hxxp://utilitia.com/wp-content/plugins/custom-post-type-ui/3
- camorata.com
- excelano.net
- dorothyle.net
- nobleduty.com
EMAILS
Shown above: Screenshot from one of the emails.
EMAIL HEADERS:
- Date/Time: Wednesday 2017-12-06 as early as 15:29 UTC through at least 19:48 UTC
- Subject: RE: FYI invoice status
- From: "[random first and last names]" <finance@executivecenters.com>
- Received: from executivecenters.com ([12.154.171.180])
- Received: from executivecenters.com ([23.31.1.70])
- Received: from executivecenters.com ([24.18.144.193])
- Received: from executivecenters.com ([24.153.220.106])
- Received: from executivecenters.com ([24.172.35.186])
- Received: from executivecenters.com ([64.60.9.115])
- Received: from executivecenters.com ([64.61.172.230])
- Received: from executivecenters.com ([68.188.200.115])
- Received: from executivecenters.com ([69.68.213.2])
- Received: from executivecenters.com ([71.9.102.11])
- Received: from executivecenters.com ([71.12.100.6])
- Received: from executivecenters.com ([74.93.156.78])
- Received: from executivecenters.com ([76.237.148.143])
- Received: from executivecenters.com ([96.40.51.123])
- Received: from executivecenters.com ([96.82.114.57])
- Received: from executivecenters.com ([96.83.60.30])
- Received: from executivecenters.com ([104.136.18.139])
- Received: from executivecenters.com ([107.11.97.242])
- Received: from executivecenters.com ([142.176.85.144])
- Received: from executivecenters.com ([162.222.234.111])
- Received: from executivecenters.com ([173.8.67.169])
- Received: from executivecenters.com ([173.14.210.225])
- Received: from executivecenters.com ([184.169.59.9])
- Received: from executivecenters.com ([190.25.45.116])
- Received: from executivecenters.com ([201.229.68.245])
- Received: from executivecenters.com ([208.245.21.68])
- Received: from executivecenters.com ([216.164.4.50])
- Received: from executivecenters.com ([216.174.138.18])
Shown above: Malicious Word document from link in the malspam.
TRAFFIC
Shown above: Traffic from the infection filtered in Wireshark.
Shown above: Some alerts from Sguil in Security Onion using Suricata and the EmergingThreats Pro ruleset.
LINKS IN THE EMAILS TO THE WORD DOCUMENT:
- hxxp://artsforglobalpeaceandhealing.com?NAb47u34E7XuyXe68v=[encoded string representing recipient's email address]
- hxxp://artsforglobalpeaceandhealing.com?oQImm5wem6ox2=[encoded string representing recipient's email address]
- hxxp://artsforglobalpeaceandhealing.org?4ukqo3E5Ork0nas=[encoded string representing recipient's email address]
- hxxp://artsforglobalpeaceandhealing.org?cvt4Q66EXmNu26JUb=[encoded string representing recipient's email address]
- hxxp://ecocoutoure.com?xR7AJ43vObbAEQEzu=[encoded string representing recipient's email address]
- hxxp://hrhprincessleith.com?2r1n0I2277=[encoded string representing recipient's email address]
- hxxp://hrhprincessleith.com?Gd45D0EG=[encoded string representing recipient's email address]
- hxxp://hrhprincessleith.com?i008MIfOIL=[encoded string representing recipient's email address]
- hxxp://hrhprincessleith.com?w0Y64121C5uVY=[encoded string representing recipient's email address]
- hxxp://hrhprincessleith.com?WQ24=[encoded string representing recipient's email address]
- hxxp://iaanetwork.tv?E3clUSC8o6AfA42=[encoded string representing recipient's email address]
- hxxp://iaanetwork.tv?T8mFyUD6Qn70yZUO=[encoded string representing recipient's email address]
- hxxp://iaanetworknews.com?PkynM35oxA=[encoded string representing recipient's email address]
- hxxp://iaasearch.com?4UuiH3040oQJ0=[encoded string representing recipient's email address]
- hxxp://iaasearch.com?cYu3s8S8pUpu014=[encoded string representing recipient's email address]
- hxxp://iaasearch.com?dHYHiy1a61UU0=[encoded string representing recipient's email address]
- hxxp://iaasearch.com?ILmOP2=[encoded string representing recipient's email address]
- hxxp://iaasearch.com?oIu=[encoded string representing recipient's email address]
- hxxp://princessleith.com?82ae0F4bEU43T5=[encoded string representing recipient's email address]
- hxxp://princessleith.com?FPl62ideBmy6azE6oe=[encoded string representing recipient's email address]
- hxxp://princessleith.com?M723p=[encoded string representing recipient's email address]
- hxxp://princessleitheatonde-grimaldi.com?JA2cO3Ey6=[encoded string representing recipient's email address]
- hxxp://princessleithofmonaco.com?8JINjpco2hJN=[encoded string representing recipient's email address]
- hxxp://princessleithofmonaco.com?ZL1O7d23Lq=[encoded string representing recipient's email address]
- hxxp://theartspost.com?06e0A5PoP2Ith8t=[encoded string representing recipient's email address]
- hxxp://theartspost.com?7EL7OXDb6lmy8=[encoded string representing recipient's email address]
- hxxp://theartspost.com?ElisiA6e6o=[encoded string representing recipient's email address]
- hxxp://theartssearch.com?iri0uI2gUces=[encoded string representing recipient's email address]
- hxxp://theartssearch.com?M00=[encoded string representing recipient's email address]
- hxxp://theartsuniversity.com?OgWYIRY54H7UK71=[encoded string representing recipient's email address]
NETWORK TRAFFIC FROM MY INFECTED LAB HOST:
- 82.202.238.203 port 80 - theartspost.com - GET /?ElisiA6e6o=[encoded string representing recipient's email address]
- api.ipify.org - GET / [IP address check by the infected Windows host]
- 185.48.56.139 port 80 - torsharucal.com - POST /ls5/forum.php
- 185.48.56.139 port 80 - torsharucal.com - POST /mlu/forum.php
- 185.48.56.139 port 80 - torsharucal.com - POST /d2/about.php
- 193.169.189.72 port 80 - mebelucci.com.ua - GET /wp-content/plugins/bwp-google-xml-sitemaps/1
- 193.169.189.72 port 80 - mebelucci.com.ua - GET /wp-content/plugins/bwp-google-xml-sitemaps/2
- 193.169.189.72 port 80 - mebelucci.com.ua - GET /wp-content/plugins/bwp-google-xml-sitemaps/3
- 185.22.65.17 port 443 - camorata.com - HTTPS/SSL/TLS traffic associated with IcedID
- 185.22.65.17 port 443 - localhost - HTTPS/SSL/TLS traffic associated with IcedID
- 185.127.26.227 port 80 - nobleduty.com - GET /f/read.txt [returned Windows exectuable]
- 185.22.65.17 port 443 - excelano.net - HTTPS/SSL/TLS traffic associated with IcedID
FILE HASHES
MALWARE RETRIEVED FROM THE INFECTED HOST:
- SHA256 hash: 39e5933d46bcdc90baeee09b4ea2419f872cfce5ff7b64f0dbabd13372d4067c
File size: 214,528 bytes
File name: invoice_[6 random digits].doc
File description: Word document with macro for Hancitor
- SHA256 hash: 0817708eea27bc52e6fc60dc61730c47554d759a917485eefecded8db76746d4
File size: 903,168 bytes
File location: C:\Users\[username]\AppData\Local\Temp\BN87E4.tmp
File location: C:\Users\[username]\AppData\Local\hemansgol\theatctaa.exe
File description: IcedID banking Trojan
- SHA256 hash: 2e743c85b9cb9c28be19d7d5a945fafa9f4663c2e7615bef7378136dcbf2f6eb
File size: 825,856 bytes
File location: hxxp://nobleduty.com/f/read.txt
File description: Windows executable related to the IcedID banking Trojan
IMAGES
Shown above: IceID banking Trojan persistent on the infected Windows host.
FINAL NOTES
Once again, here are the associated files:
- Zip archive of the pcap: 2017-12-06-Hancitor-malspam-traffic.pcap.zip 1.0 MB (1,032,095 bytes)
- Zip archive of the emails (30 emails in one text file): 2017-12-06-Hancitor-malspam-30-emails.txt.zip 3.7 kB (3,667 bytes)
- Zip archive of the malware: 2017-12-06-malware-from-Hancitor-malspam.zip 695 kB (694,543 bytes)
Zip archives are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.