2017-12-11 - HANCITOR INFECTION WITH ZEUS PANDA BANKER

NOTICE:

ASSOCIATED FILES:

  • 2017-12-11-Hancitor-infection-with-Zeus-Panda-Banker.pcap   (2,364,151 bytes)
  • 2017-12-11-Hancitor-malspam-1654-UTC.eml   (2,767 bytes)
  • 2017-12-11-Hancitor-maldoc-eFax_729569.doc   (40,128 bytes)
  • 2017-12-11-Zeus-Panda-Banker-sample.exe   (152,064 bytes)

NOTES:

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains and URLs:

 

EMAILS


Shown above:  Screenshot from one of the emails.

 

EMAIL HEADERS:

 


Shown above:  Clicking on link from the email.

 


Shown above:  Malicious Word document from link in the malspam.

 

TRAFFIC


Shown above:  Traffic from an infection filtered in Wireshark.

 

DOMAINS FROM LINKS IN THE EMAILS TO THE WORD DOCUMENT:

NETWORK TRAFFIC FROM MY INFECTED LAB HOST:

 

FILE HASHES

MALWARE RETRIEVED FROM THE INFECTED HOST:

 

IMAGES


Shown above:  Zeus Panda Banker persistent on the infected Windows host.

 

Click here to return to the main page.