2017-12-06 - HANCITOR MALSPAM - MORE ICEDID BANKING TROJAN (NO ZEUS PANDA BANKER)

ASSOCIATED FILES:

• Zip archive of the pcap:  2017-12-06-Hancitor-malspam-traffic.pcap.zip   1.0 MB (1,032,095 bytes)

• 2017-12-06-Hancitor-malspam-traffic.pcap   (1,934,709 bytes)

• Zip archive of the emails (30 emails in one text file):  2017-12-06-Hancitor-malspam-30-emails.txt.zip   3.7 kB (3,667 bytes)

• 2017-12-06-Hancitor-malspam-30-emails.txt   (34,526 bytes)

• Zip archive of the malware:  2017-12-06-malware-from-Hancitor-malspam.zip   695 kB (694,543 bytes)

• 2017-12-06-Hancitor-maldoc-invoice_491457.doc   (214,528 bytes)
• 2017-12-06-IcedID-banking-Trojan-theatctaa.exe   (903,168 bytes)
• 2017-12-06-binary-from-nobleduty.com.exe   (825,856 bytes)

 

NOTES:

• Yesterday, post-infection malware from Hancitor malspam included Zeus Panda Banker.  Today, it included IcedID banking Trojan.
• Of course, there's still Pony and Evil Pony (both fileless) being downloaded by Hancitor from the Word document macro.
• I previously documented IcedID from Hancitor malspam on 2017-11-21.
• There's another file similar to IcedID involved (same file icon), but I don't think it's a downloader this time.
• Not sure what the encoding is for the string that represents the recipient's email address in links from the malspam.  It's not a Base64 string like we've seen before.
• Thanks to @James_inthe_box and @Techhelplistcom who published additional indicators that I've included in this report.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains and URLs:

• artsforglobalpeaceandhealing.com
• artsforglobalpeaceandhealing.org
• ecocoutoure.com
• hrhprincessleith.com
• iaanetwork.tv
• iaanetworknews.com
• iaasearch.com
• princessleith.com
• princessleitheatonde-grimaldi.com
• princessleithofmonaco.com
• theartspost.com
• theartssearch.com
• theartsuniversity.com

• athedtburen.ru
• ronhingotlo.ru
• torsharucal.com

• hxxp://halletts.com/wp-content/plugins/wp-db-backup-made/1
• hxxp://halletts.com/wp-content/plugins/wp-db-backup-made/2
• hxxp://halletts.com/wp-content/plugins/wp-db-backup-made/3
• hxxp://mebelucci.com.ua/wp-content/plugins/bwp-google-xml-sitemaps/1
• hxxp://mebelucci.com.ua/wp-content/plugins/bwp-google-xml-sitemaps/2
• hxxp://mebelucci.com.ua/wp-content/plugins/bwp-google-xml-sitemaps/3
• hxxp://mutznutzpetcare.com/wp-content/plugins/category-posts/1
• hxxp://mutznutzpetcare.com/wp-content/plugins/category-posts/2
• hxxp://mutznutzpetcare.com/wp-content/plugins/category-posts/3
• hxxp://sgs36.ru/wp-content/plugins/lightbox-plus/1
• hxxp://sgs36.ru/wp-content/plugins/lightbox-plus/2
• hxxp://sgs36.ru/wp-content/plugins/lightbox-plus/3
• hxxp://utilitia.com/wp-content/plugins/custom-post-type-ui/1
• hxxp://utilitia.com/wp-content/plugins/custom-post-type-ui/2
• hxxp://utilitia.com/wp-content/plugins/custom-post-type-ui/3

• camorata.com
• excelano.net
• dorothyle.net
• nobleduty.com

 

EMAILS

Shown above:  Screenshot from one of the emails.

 

EMAIL HEADERS:

• Date/Time:  Wednesday 2017-12-06 as early as 15:29 UTC through at least 19:48 UTC
• Subject:  RE: FYI invoice status
• From:  "[random first and last names]" <finance@executivecenters.com>

• Received: from executivecenters.com ([12.154.171.180])
• Received: from executivecenters.com ([23.31.1.70])
• Received: from executivecenters.com ([24.18.144.193])
• Received: from executivecenters.com ([24.153.220.106])
• Received: from executivecenters.com ([24.172.35.186])
• Received: from executivecenters.com ([64.60.9.115])
• Received: from executivecenters.com ([64.61.172.230])
• Received: from executivecenters.com ([68.188.200.115])
• Received: from executivecenters.com ([69.68.213.2])
• Received: from executivecenters.com ([71.9.102.11])
• Received: from executivecenters.com ([71.12.100.6])
• Received: from executivecenters.com ([74.93.156.78])
• Received: from executivecenters.com ([76.237.148.143])
• Received: from executivecenters.com ([96.40.51.123])
• Received: from executivecenters.com ([96.82.114.57])
• Received: from executivecenters.com ([96.83.60.30])
• Received: from executivecenters.com ([104.136.18.139])
• Received: from executivecenters.com ([107.11.97.242])
• Received: from executivecenters.com ([142.176.85.144])
• Received: from executivecenters.com ([162.222.234.111])
• Received: from executivecenters.com ([173.8.67.169])
• Received: from executivecenters.com ([173.14.210.225])
• Received: from executivecenters.com ([184.169.59.9])
• Received: from executivecenters.com ([190.25.45.116])
• Received: from executivecenters.com ([201.229.68.245])
• Received: from executivecenters.com ([208.245.21.68])
• Received: from executivecenters.com ([216.164.4.50])
• Received: from executivecenters.com ([216.174.138.18])

 

Shown above:  Malicious Word document from link in the malspam.

 

TRAFFIC

Shown above:  Traffic from the infection filtered in Wireshark.

 

Shown above:  Some alerts from Sguil in Security Onion using Suricata and the EmergingThreats Pro ruleset.

 

LINKS IN THE EMAILS TO THE WORD DOCUMENT:

• hxxp://artsforglobalpeaceandhealing.com?NAb47u34E7XuyXe68v=[encoded string representing recipient's email address]
• hxxp://artsforglobalpeaceandhealing.com?oQImm5wem6ox2=[encoded string representing recipient's email address]
• hxxp://artsforglobalpeaceandhealing.org?4ukqo3E5Ork0nas=[encoded string representing recipient's email address]
• hxxp://artsforglobalpeaceandhealing.org?cvt4Q66EXmNu26JUb=[encoded string representing recipient's email address]
• hxxp://ecocoutoure.com?xR7AJ43vObbAEQEzu=[encoded string representing recipient's email address]
• hxxp://hrhprincessleith.com?2r1n0I2277=[encoded string representing recipient's email address]
• hxxp://hrhprincessleith.com?Gd45D0EG=[encoded string representing recipient's email address]
• hxxp://hrhprincessleith.com?i008MIfOIL=[encoded string representing recipient's email address]
• hxxp://hrhprincessleith.com?w0Y64121C5uVY=[encoded string representing recipient's email address]
• hxxp://hrhprincessleith.com?WQ24=[encoded string representing recipient's email address]
• hxxp://iaanetwork.tv?E3clUSC8o6AfA42=[encoded string representing recipient's email address]
• hxxp://iaanetwork.tv?T8mFyUD6Qn70yZUO=[encoded string representing recipient's email address]
• hxxp://iaanetworknews.com?PkynM35oxA=[encoded string representing recipient's email address]
• hxxp://iaasearch.com?4UuiH3040oQJ0=[encoded string representing recipient's email address]
• hxxp://iaasearch.com?cYu3s8S8pUpu014=[encoded string representing recipient's email address]
• hxxp://iaasearch.com?dHYHiy1a61UU0=[encoded string representing recipient's email address]
• hxxp://iaasearch.com?ILmOP2=[encoded string representing recipient's email address]
• hxxp://iaasearch.com?oIu=[encoded string representing recipient's email address]
• hxxp://princessleith.com?82ae0F4bEU43T5=[encoded string representing recipient's email address]
• hxxp://princessleith.com?FPl62ideBmy6azE6oe=[encoded string representing recipient's email address]
• hxxp://princessleith.com?M723p=[encoded string representing recipient's email address]
• hxxp://princessleitheatonde-grimaldi.com?JA2cO3Ey6=[encoded string representing recipient's email address]
• hxxp://princessleithofmonaco.com?8JINjpco2hJN=[encoded string representing recipient's email address]
• hxxp://princessleithofmonaco.com?ZL1O7d23Lq=[encoded string representing recipient's email address]
• hxxp://theartspost.com?06e0A5PoP2Ith8t=[encoded string representing recipient's email address]
• hxxp://theartspost.com?7EL7OXDb6lmy8=[encoded string representing recipient's email address]
• hxxp://theartspost.com?ElisiA6e6o=[encoded string representing recipient's email address]
• hxxp://theartssearch.com?iri0uI2gUces=[encoded string representing recipient's email address]
• hxxp://theartssearch.com?M00=[encoded string representing recipient's email address]
• hxxp://theartsuniversity.com?OgWYIRY54H7UK71=[encoded string representing recipient's email address]

NETWORK TRAFFIC FROM MY INFECTED LAB HOST:

• 82.202.238.203 port 80 - theartspost.com - GET /?ElisiA6e6o=[encoded string representing recipient's email address]
• api.ipify.org - GET /   [IP address check by the infected Windows host]
• 185.48.56.139 port 80 - torsharucal.com - POST /ls5/forum.php
• 185.48.56.139 port 80 - torsharucal.com - POST /mlu/forum.php
• 185.48.56.139 port 80 - torsharucal.com - POST /d2/about.php
• 193.169.189.72 port 80 - mebelucci.com.ua - GET /wp-content/plugins/bwp-google-xml-sitemaps/1
• 193.169.189.72 port 80 - mebelucci.com.ua - GET /wp-content/plugins/bwp-google-xml-sitemaps/2
• 193.169.189.72 port 80 - mebelucci.com.ua - GET /wp-content/plugins/bwp-google-xml-sitemaps/3
• 185.22.65.17 port 443 - camorata.com - HTTPS/SSL/TLS traffic associated with IcedID
• 185.22.65.17 port 443 - localhost - HTTPS/SSL/TLS traffic associated with IcedID
• 185.127.26.227 port 80 - nobleduty.com - GET /f/read.txt   [returned Windows exectuable]
• 185.22.65.17 port 443 - excelano.net - HTTPS/SSL/TLS traffic associated with IcedID

 

FILE HASHES

MALWARE RETRIEVED FROM THE INFECTED HOST:

• SHA256 hash:  39e5933d46bcdc90baeee09b4ea2419f872cfce5ff7b64f0dbabd13372d4067c
  File size:  214,528 bytes
  File name:  invoice_[6 random digits].doc
  File description:  Word document with macro for Hancitor

• SHA256 hash:  0817708eea27bc52e6fc60dc61730c47554d759a917485eefecded8db76746d4
  File size:  903,168 bytes
  File location:  C:\Users\[username]\AppData\Local\Temp\BN87E4.tmp
  File location:  C:\Users\[username]\AppData\Local\hemansgol\theatctaa.exe
  File description:  IcedID banking Trojan

• SHA256 hash:  2e743c85b9cb9c28be19d7d5a945fafa9f4663c2e7615bef7378136dcbf2f6eb
  File size:  825,856 bytes
  File location:  hxxp://nobleduty.com/f/read.txt
  File description:  Windows executable related to the IcedID banking Trojan

 

IMAGES

Shown above:  IceID banking Trojan persistent on the infected Windows host.

 

FINAL NOTES

Once again, here are the associated files:

• Zip archive of the pcap:  2017-12-06-Hancitor-malspam-traffic.pcap.zip   1.0 MB (1,032,095 bytes)
• Zip archive of the emails (30 emails in one text file):  2017-12-06-Hancitor-malspam-30-emails.txt.zip   3.7 kB (3,667 bytes)
• Zip archive of the malware:  2017-12-06-malware-from-Hancitor-malspam.zip   695 kB (694,543 bytes)

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.