Malware-Traffic-Analysis.net - 2017-12-06 - Hancitor infection with IcedID

2017-12-06 - HANCITOR INFECTION WITH ICEDID

NOTICE:

The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

ASSOCIATED FILES:

2017-12-06-Hancitor-infection-with-IcedID.pcap.zip 1.0 MB (1,032,107 bytes)

2017-12-06-Hancitor-infection-with-IcedID.pcap (1,934,709 bytes)

2017-12-06-Hancitor-malspam-30-examples.txt.zip 3.7 kB (3,671 bytes)

2017-12-06-Hancitor-malspam-30-examples.txt (34,526 bytes)

2017-12-06-malware-from-Hancitor-infection.zip 695.0 kB (694,985 bytes)

2017-12-06-Hancitor-maldoc-invoice_491457.doc (214,528 bytes)

2017-12-06-IcedID-theatctaa.exe (903,168 bytes)

2017-12-06-binary-from-nobleduty_com.exe (825,856 bytes)

NOTES:

Yesterday, post-infection malware from Hancitor malspam included Zeus Panda Banker. Today, it included IcedID.
Of course, there's still Pony and Evil Pony (both fileless) being downloaded by Hancitor from the Word document macro.
I previously documented IcedID from Hancitor malspam on 2017-11-21.
There's another file similar to IcedID involved (same file icon), but I don't think it's a downloader this time.
Not sure what the encoding is for the string that represents the recipient's email address in links from the malspam. It's not a Base64 string like we've seen before.
Thanks to @James_inthe_box and @Techhelplistcom who published additional indicators that I've included in this report.

WEB TRAFFIC BLOCK LIST

Indicators are not a block list. If you feel the need to block web traffic, I suggest the following domains and URLs:

artsforglobalpeaceandhealing[.]com
artsforglobalpeaceandhealing[.]org
ecocoutoure[.]com
hrhprincessleith[.]com
iaanetwork[.]tv
iaanetworknews[.]com
iaasearch[.]com
princessleith[.]com
princessleitheatonde-grimaldi[.]com
princessleithofmonaco[.]com
theartspost[.]com
theartssearch[.]com
theartsuniversity[.]com

athedtburen[.]ru
ronhingotlo[.]ru
torsharucal[.]com

hxxp[:]//halletts[.]com/wp-content/plugins/wp-db-backup-made/1
hxxp[:]//halletts[.]com/wp-content/plugins/wp-db-backup-made/2
hxxp[:]//halletts[.]com/wp-content/plugins/wp-db-backup-made/3
hxxp[:]//mebelucci[.]com[.]ua/wp-content/plugins/bwp-google-xml-sitemaps/1
hxxp[:]//mebelucci[.]com[.]ua/wp-content/plugins/bwp-google-xml-sitemaps/2
hxxp[:]//mebelucci[.]com[.]ua/wp-content/plugins/bwp-google-xml-sitemaps/3
hxxp[:]//mutznutzpetcare[.]com/wp-content/plugins/category-posts/1
hxxp[:]//mutznutzpetcare[.]com/wp-content/plugins/category-posts/2
hxxp[:]//mutznutzpetcare[.]com/wp-content/plugins/category-posts/3
hxxp[:]//sgs36[.]ru/wp-content/plugins/lightbox-plus/1
hxxp[:]//sgs36[.]ru/wp-content/plugins/lightbox-plus/2
hxxp[:]//sgs36[.]ru/wp-content/plugins/lightbox-plus/3
hxxp[:]//utilitia[.]com/wp-content/plugins/custom-post-type-ui/1
hxxp[:]//utilitia[.]com/wp-content/plugins/custom-post-type-ui/2
hxxp[:]//utilitia[.]com/wp-content/plugins/custom-post-type-ui/3

camorata[.]com
excelano[.]net
dorothyle[.]net
nobleduty[.]com

EMAILS

Shown above: Screenshot from one of the emails.

EMAIL HEADERS:

Date/Time: Wednesday 2017-12-06 as early as 15:29 UTC through at least 19:48 UTC
Subject: RE: FYI invoice status
From: "[random first and last names]" <finance@executivecenters[.]com>

Received: from executivecenters[.]com ([12.154.171[.]180])
Received: from executivecenters[.]com ([23.31.1[.]70])
Received: from executivecenters[.]com ([24.18.144[.]193])
Received: from executivecenters[.]com ([24.153.220[.]106])
Received: from executivecenters[.]com ([24.172.35[.]186])
Received: from executivecenters[.]com ([64.60.9[.]115])
Received: from executivecenters[.]com ([64.61.172[.]230])
Received: from executivecenters[.]com ([68.188.200[.]115])
Received: from executivecenters[.]com ([69.68.213[.]2])
Received: from executivecenters[.]com ([71.9.102[.]11])
Received: from executivecenters[.]com ([71.12.100[.]6])
Received: from executivecenters[.]com ([74.93.156[.]78])
Received: from executivecenters[.]com ([76.237.148[.]143])
Received: from executivecenters[.]com ([96.40.51[.]123])
Received: from executivecenters[.]com ([96.82.114[.]57])
Received: from executivecenters[.]com ([96.83.60[.]30])
Received: from executivecenters[.]com ([104.136.18[.]139])
Received: from executivecenters[.]com ([107.11.97[.]242])
Received: from executivecenters[.]com ([142.176.85[.]144])
Received: from executivecenters[.]com ([162.222.234[.]]111])
Received: from executivecenters[.]com ([173.8.67[.]169])
Received: from executivecenters[.]com ([173.14.210[.]225])
Received: from executivecenters[.]com ([184.169.59[.]9])
Received: from executivecenters[.]com ([190.25.45[.]116])
Received: from executivecenters[.]com ([201.229.68[.]245])
Received: from executivecenters[.]com ([208.245.21[.]68])
Received: from executivecenters[.]com ([216.164.4[.]50])
Received: from executivecenters[.]com ([216.174.138[.]18])

Shown above: Malicious Word document from link in the malspam.

TRAFFIC

Shown above: Traffic from the infection filtered in Wireshark.

Shown above: Some alerts from Sguil in Security Onion using Suricata and the EmergingThreats Pro ruleset.

LINKS IN THE EMAILS TO THE WORD DOCUMENT:

hxxp[:]//artsforglobalpeaceandhealing[.]com?NAb47u34E7XuyXe68v=[encoded string representing recipient's email address]
hxxp[:]//artsforglobalpeaceandhealing[.]com?oQImm5wem6ox2=[encoded string representing recipient's email address]
hxxp[:]//artsforglobalpeaceandhealing[.]org?4ukqo3E5Ork0nas=[encoded string representing recipient's email address]
hxxp[:]//artsforglobalpeaceandhealing[.]org?cvt4Q66EXmNu26JUb=[encoded string representing recipient's email address]
hxxp[:]//ecocoutoure[.]com?xR7AJ43vObbAEQEzu=[encoded string representing recipient's email address]
hxxp[:]//hrhprincessleith[.]com?2r1n0I2277=[encoded string representing recipient's email address]
hxxp[:]//hrhprincessleith[.]com?Gd45D0EG=[encoded string representing recipient's email address]
hxxp[:]//hrhprincessleith[.]com?i008MIfOIL=[encoded string representing recipient's email address]
hxxp[:]//hrhprincessleith[.]com?w0Y64121C5uVY=[encoded string representing recipient's email address]
hxxp[:]//hrhprincessleith[.]com?WQ24=[encoded string representing recipient's email address]
hxxp[:]//iaanetwork[.]tv?E3clUSC8o6AfA42=[encoded string representing recipient's email address]
hxxp[:]//iaanetwork[.]tv?T8mFyUD6Qn70yZUO=[encoded string representing recipient's email address]
hxxp[:]//iaanetworknews[.]com?PkynM35oxA=[encoded string representing recipient's email address]
hxxp[:]//iaasearch[.]com?4UuiH3040oQJ0=[encoded string representing recipient's email address]
hxxp[:]//iaasearch[.]com?cYu3s8S8pUpu014=[encoded string representing recipient's email address]
hxxp[:]//iaasearch[.]com?dHYHiy1a61UU0=[encoded string representing recipient's email address]
hxxp[:]//iaasearch[.]com?ILmOP2=[encoded string representing recipient's email address]
hxxp[:]//iaasearch[.]com?oIu=[encoded string representing recipient's email address]
hxxp[:]//princessleith[.]com?82ae0F4bEU43T5=[encoded string representing recipient's email address]
hxxp[:]//princessleith[.]com?FPl62ideBmy6azE6oe=[encoded string representing recipient's email address]
hxxp[:]//princessleith[.]com?M723p=[encoded string representing recipient's email address]
hxxp[:]//princessleitheatonde-grimaldi[.]com?JA2cO3Ey6=[encoded string representing recipient's email address]
hxxp[:]//princessleithofmonaco[.]com?8JINjpco2hJN=[encoded string representing recipient's email address]
hxxp[:]//princessleithofmonaco[.]com?ZL1O7d23Lq=[encoded string representing recipient's email address]
hxxp[:]//theartspost[.]com?06e0A5PoP2Ith8t=[encoded string representing recipient's email address]
hxxp[:]//theartspost[.]com?7EL7OXDb6lmy8=[encoded string representing recipient's email address]
hxxp[:]//theartspost[.]com?ElisiA6e6o=[encoded string representing recipient's email address]
hxxp[:]//theartssearch[.]com?iri0uI2gUces=[encoded string representing recipient's email address]
hxxp[:]//theartssearch[.]com?M00=[encoded string representing recipient's email address]
hxxp[:]//theartsuniversity[.]com?OgWYIRY54H7UK71=[encoded string representing recipient's email address]

NETWORK TRAFFIC FROM MY INFECTED LAB HOST:

82.202.238[.]203 port 80 - theartspost[.]com - GET /?ElisiA6e6o=[encoded string representing recipient's email address]
api.ipify[.]org - GET / [IP address check by the infected Windows host]
185.48.56[.]139 port 80 - torsharucal[.]com - POST /ls5/forum.php
185.48.56[.]139 port 80 - torsharucal[.]com - POST /mlu/forum.php
185.48.56[.]139 port 80 - torsharucal[.]com - POST /d2/about.php
193.169.189[.]72 port 80 - mebelucci[.]com[.]ua - GET /wp-content/plugins/bwp-google-xml-sitemaps/1
193.169.189[.]72 port 80 - mebelucci[.]com[.]ua - GET /wp-content/plugins/bwp-google-xml-sitemaps/2
193.169.189[.]72 port 80 - mebelucci[.]com[.]ua - GET /wp-content/plugins/bwp-google-xml-sitemaps/3
185.22.65[.]17 port 443 - camorata[.]com - HTTPS/SSL/TLS traffic associated with IcedID
185.22.65[.]17 port 443 - localhost - HTTPS/SSL/TLS traffic associated with IcedID
185.127.26.]227 port 80 - nobleduty[.]com - GET /f/read.txt [returned Windows exectuable]
185.22.65[.]17 port 443 - excelano[.]net - HTTPS/SSL/TLS traffic associated with IcedID

FILE HASHES

MALWARE RETRIEVED FROM THE INFECTED HOST:

SHA256 hash: 39e5933d46bcdc90baeee09b4ea2419f872cfce5ff7b64f0dbabd13372d4067c
File size: 214,528 bytes
File name: invoice_[6 random digits].doc
File description: Word document with macro for Hancitor

SHA256 hash: 0817708eea27bc52e6fc60dc61730c47554d759a917485eefecded8db76746d4
File size: 903,168 bytes
File location: C:\Users\[username]\AppData\Local\Temp\BN87E4.tmp
File location: C:\Users\[username]\AppData\Local\hemansgol\theatctaa.exe
File description: Wubdiws EXE for IcedID

SHA256 hash: 2e743c85b9cb9c28be19d7d5a945fafa9f4663c2e7615bef7378136dcbf2f6eb
File size: 825,856 bytes
File location: hxxp[:]//nobleduty[.]com/f/read.txt
File description: Windows EXE, possibly related to the IcedID infection

IMAGES

Shown above: IceID persistent on the infected Windows host.

Click here to return to the main page.