2017-12-11 - HANCITOR INFECTION WITH ZEUS PANDA BANKER
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
- 2017-12-11-Hancitor-infection-with-Zeus-Panda-Banker.pcap.zip 1.8 MB (1,801,555 bytes)
- 2017-12-11-Hancitor-infection-with-Zeus-Panda-Banker.pcap (2,364,151 bytes)
- 2017-12-11-Hancitor-malspam-1654-UTC.eml.zip 1.1 kB (1,077 bytes)
- 2017-12-11-Hancitor-malspam-1654-UTC.eml (2,767 bytes)
- 2017-12-11-malware-from-Hancitor-infection.zip 215.3 kB (215,280 bytes)
- 2017-12-11-Hancitor-maldoc-eFax_729569.doc (40,128 bytes)
- 2017-12-11-Zeus-Panda-Banker-sample.exe (152,064 bytes)
NOTES:
- Today, post-infection malware from Hancitor malspam includes Zeus Panda Banker.
- It's been switching between Zeus Panda Banker and IcedID during the past two weeks or so.
- Of course, there's still Pony and Evil Pony (both fileless) also downloaded by Hancitor from the Word document macro.
- Thanks to @James_inthe_box, who published additional indicators (link) that I've included in this report.
WEB TRAFFIC BLOCK LIST
Indicators are not a block list. If you feel the need to block web traffic, I suggest the following domains and URLs:
- agelessbuy[.]com
- agelessshow[.]com
- beautyandthearts[.]org
- buyoesh[.]com
- iaaaward[.]com
- iaapublishing[.]com
- iaasavesthearts[.]com
- oesh[.]org
- oeshshoes[.]com
- oeshshoes[.]net
- wearoesh[.]com
- hxxp[:]//aboutthebike[.]co[.]uk/wp-content/plugins/all-in-one-seo-pack/1
- hxxp[:]//aboutthebike[.]co[.]uk/wp-content/plugins/all-in-one-seo-pack/2
- hxxp[:]//aboutthebike[.]co[.]uk/wp-content/plugins/all-in-one-seo-pack/3
- hxxp[:]//beyondthebag.feedprojects[.]com/wp-content/plugins/featured-image-widget/1
- hxxp[:]//beyondthebag.feedprojects[.]com/wp-content/plugins/featured-image-widget/2
- hxxp[:]//beyondthebag.feedprojects[.]com/wp-content/plugins/featured-image-widget/3
- hxxp[:]//modelhover[.]org/1
- hxxp[:]//modelhover[.]org/2
- hxxp[:]//modelhover[.]org/3
- hxxp[:]//sterrenburgvanduijn[.]nl/wp-content/plugins/gallery-bank/1
- hxxp[:]//sterrenburgvanduijn[.]nl/wp-content/plugins/gallery-bank/2
- hxxp[:]//sterrenburgvanduijn[.]nl/wp-content/plugins/gallery-bank/3
- hxxp[:]//www.nationejobs[.]com/campaign/1
- hxxp[:]//www.nationejobs[.]com/campaign/2
- hxxp[:]//www.nationejobs[.]com/campaign/3
- butenrestold[.]com
- hadrecrolof[.]ru
- goonronto[.]ru
- aningtorsfave[.]com
EMAILS
Shown above: Screenshot from one of the emails.
EMAIL HEADERS:
- Received: from ironrockcc[.]com ([168.111.104.[153]
- Date/Time: Monday 2017-12-11 at 16:54 UTC
- Subject: New incoming fax from 1-610-378-2367 on Mon, 11 Dec 2017 11:54:49 -0500
- From (spoofed): "eFax.com" <efax@ironrockcc[.]com>
Shown above: Clicking on link from the email.
Shown above: Malicious Word document from link in the malspam.
TRAFFIC
Shown above: Traffic from an infection filtered in Wireshark.
DOMAINS FROM LINKS IN THE EMAILS TO THE WORD DOCUMENT:
- hxxp[:]//agelessbuy[.]com/?[encoded string]=[encoded string representing recipient's email address]
- hxxp[:]//agelessshow[.]com/?[encoded string]=[encoded string representing recipient's email address]
- hxxp[:]//beautyandthearts[.]org/?[encoded string]=[encoded string representing recipient's email address]
- hxxp[:]//buyoesh[.]com/?[encoded string]=[encoded string representing recipient's email address]
- hxxp[:]//iaaaward[.]com/?[encoded string]=[encoded string representing recipient's email address]
- hxxp[:]//iaapublishing[.]com/?[encoded string]=[encoded string representing recipient's email address]
- hxxp[:]//iaasavesthearts[.]com/?[encoded string]=[encoded string representing recipient's email address]
- hxxp[:]//oesh[.]org/?[encoded string]=[encoded string representing recipient's email address]
- hxxp[:]//oeshshoes[.]com/?[encoded string]=[encoded string representing recipient's email address]
- hxxp[:]//oeshshoes[.]net/?[encoded string]=[encoded string representing recipient's email address]
- hxxp[:]//wearoesh[.]com/?[encoded string]=[encoded string representing recipient's email address]
NETWORK TRAFFIC FROM MY INFECTED LAB HOST:
- 92.53.87[.]50 port 80 - agelessshow[.]com - GET /?[encoded string]=[encoded string representing recipient's email address]
- api.ipify[.]org - GET / [IP address check by the infected Windows host]
- 217.197.116[.]29 port 80 - butenrestold[.]com - POST /ls5/forum.php
- 217.197.116[.]29 port 80 - butenrestold[.]com - POST /mlu/forum.php
- 217.197.116[.]29 port 80 - butenrestold[.]com - POST /d2/about.php
- 91.142.253[.]85 port 80 - sterrenburgvanduijn[.]nl - GET /wp-content/plugins/gallery-bank/1
- 91.142.253[.]85 port 80 - sterrenburgvanduijn[.]nl - GET /wp-content/plugins/gallery-bank/2
- 91.142.253[.]85 port 80 - sterrenburgvanduijn[.]nl - GET /wp-content/plugins/gallery-bank/3
- 202.60.199[.]201 port 80 - www.nationejobs[.]com - GET /campaign/1
- 202.60.199[.]201 port 80 - www.nationejobs[.]com - GET /campaign/2
- 202.60.199[.]201 port 80 - www.nationejobs[.]com - GET /campaign/3
- 79.170.40[.]178 port 80 - modelhover[.]org - GET /1
- 79.170.40[.]178 port 80 - modelhover[.]org - GET /2
- 79.170.40[.]178 port 80 - modelhover[.]org - GET /3
- 217.29.53[.]132 port 443 - aningtorsfave[.]com - HTTPS/SSL/TLS traffic associated with Zeus Panda Banker
FILE HASHES
MALWARE RETRIEVED FROM THE INFECTED HOST:
- SHA256 hash: 4bef47068c1d5f8bbea0662a31df9a1a7ecfef2448f0b2eb9acdb502be210c3d
File size: 240,128 bytes
File name: eFax_[6 random digits].doc
File description: Word document with macro for Hancitor
- SHA256 hash: 05e7b5f18cf8ca0d672121b879d5b7ad2e854f8b6052f9e5b8f60ad4a3daa808
File size: 152,064 bytes
File location: C:\Users\[username]\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\Internet Explorer.exe
File description: Zeus Panda Banker
IMAGES
Shown above: Zeus Panda Banker persistent on the infected Windows host.
Click here to return to the main page.