2018-03-06 - HANCITOR INFECTION WITH ZEUS PANDA BANKER

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• Zip archive of the traffic:  2018-03-06-Hancitor-infection-with-Zeus-Panda-Banker.pcap.zip   2.2 MB (2,177,653 bytes)

• 2018-03-06-Hancitor-infection-with-Zeus-Panda-Banker.pcap   (2,561,762 bytes)

• Zip archive of the emails:  2018-03-06-Hancitor-malspam-26-examples.txt.zip   7.5 kB (7,442 bytes)

• 2018-03-06-Hancitor-malspam-26-examples.txt   (162,412 bytes)

• Zip archive of the malware:  2018-03-06-malware-from-Hancitor-infection.zip   252 kB (252,208 bytes)

• 2018-03-06-Hancitor-maldoc-invoice_387239.doc   (259,072 bytes)
• 2018-03-06-Zeus-Panda-Banker.exe   (164,352 bytes)

NOTES:

• As usual, for the 3 follow-up downloads, we're still seeing Pony, Evil Pony (both resident in memory), and Zeus Panda Banker (saved to disk).
• The block list contains additional post-infection URLs originally reported by @Techhelplistcom on the VirusTotal entry for today's Word document.
• As always, thanks to everyone who keeps an eye on this malspam and reports about it on Twitter.  Your tweets help more than you realize.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains and URLs:

• babyfurniturewarehouse[.]com
• buildwith307[.]com
• carrythelamp[.]net
• dickswingsgrill[.]com
• freedomtonurse[.]net
• freeholdsurgical[.]net
• freeholdsurgical[.]org
• hnigrp[.]com
• hniltd[.]com
• myyobe[.]biz
• nightingalenurses[.]org
• wingsfinger[.]com
• wingsfingers[.]com
• tebabretof[.]com
• dinglebetna[.]ru
• etranutha[.]ru
• hxxp[:]//gamesfree247[.]info/1
• hxxp[:]//gamesfree247[.]info/2
• hxxp[:]//gamesfree247[.]info/3
• hxxp[:]//ncbc.co[.]za/wp-content/plugins/twg-members/1
• hxxp[:]//ncbc.co[.]za/wp-content/plugins/twg-members/2
• hxxp[:]//ncbc.co[.]za/wp-content/plugins/twg-members/3
• hxxp[:]//lifemotivator[.]tv/wp-content/plugins/contact-form-7/includes/1
• hxxp[:]//lifemotivator[.]tv/wp-content/plugins/contact-form-7/includes/2
• hxxp[:]//lifemotivator[.]tv/wp-content/plugins/contact-form-7/includes/3
• hxxp[:]//gigabitsoftware[.]com/wp-content/plugins/backupbuddy/1
• hxxp[:]//gigabitsoftware[.]com/wp-content/plugins/backupbuddy/2
• hxxp[:]//gigabitsoftware[.]com/wp-content/plugins/backupbuddy/3
• hxxp[:]//printforall[.]ro/wp-content/plugins/simple-meta-tags/1
• hxxp[:]//printforall[.]ro/wp-content/plugins/simple-meta-tags/2
• hxxp[:]//printforall[.]ro/wp-content/plugins/simple-meta-tags/3
• ofhahertit[.]com

 

EMAILS

Shown above:  Screenshot from one of the emails.

 

EMAIL HEADERS:

• Date/Time:  Tuesday 2018-03-06 as early as 17:40 UTC through at least 20:59 UTC

• Received: from bandgequipment[.]com ([24.37.246[.]50])
• Received: from bandgequipment[.]com ([24.123.173[.]42])
• Received: from bandgequipment[.]com ([24.197.23[.]66])
• Received: from bandgequipment[.]com ([50.27.155[.]34])
• Received: from bandgequipment[.]com ([50.192.158[.]228])
• Received: from bandgequipment[.]com ([67.185.1[.]213])
• Received: from bandgequipment[.]com ([68.173.167[.]190])
• Received: from bandgequipment[.]com ([69.67.101[.]131])
• Received: from bandgequipment[.]com ([70.168.199[.]133])
• Received: from bandgequipment[.]com ([71.95.218[.]234])
• Received: from bandgequipment[.]com ([75.88.14[.]241])
• Received: from bandgequipment[.]com ([97.84.33[.]210])
• Received: from bandgequipment[.]com ([98.101.194[.]106])
• Received: from bandgequipment[.]com ([100.8.232[.]154])
• Received: from bandgequipment[.]com ([131.161.86[.]199])
• Received: from bandgequipment[.]com ([137.101.218[.]89])
• Received: from bandgequipment[.]com ([137.188.108[.]19])
• Received: from bandgequipment[.]com ([173.12.239[.]115])
• Received: from bandgequipment[.]com ([184.71.42[.]34])
• Received: from bandgequipment[.]com ([206.63.234[.]219])
• Received: from bandgequipment[.]com ([216.3.207[.]162])
• Received: from nxgndata[.]com ([50.255.94[.]41])
• Received: from nxgndata[.]com ([67.213.231[.]13])
• Received: from nxgndata[.]com ([72.93.244[.]154])
• Received: from nxgndata[.]com ([173.12.239[.]115])
• Received: from nxgndata[.]com ([184.71.42[.]34])

• From: "DocuSign Electronic Signature  Service" <invoice@bandgequipment[.]com>
• From: "DocuSign Electronic Signature " <invoice@bandgequipment[.]com>
• From: "DocuSign Electronic Signature " <invoice@nxgndata[.]com>
• From: "DocuSign Electronic Signature and Invoice Service" <invoice@bandgequipment[.]com>
• From: "DocuSign Electronic Signature and Invoice Service" <invoice@nxgndata[.]com>
• From: "DocuSign Electronic Signature and Invoice" <invoice@bandgequipment[.]com>
• From: "DocuSign Signature  Service" <invoice@bandgequipment[.]com>
• From: "DocuSign Signature  Service" <invoice@nxgndata[.]com>
• From: "DocuSign Signature " <invoice@bandgequipment[.]com>
• From: "DocuSign Signature " <invoice@nxgndata[.]com>
• From: "DocuSign Signature and Invoice Service" <invoice@bandgequipment[.]com>
• From: "DocuSign Signature and Invoice" <invoice@bandgequipment[.]com>
• From: "DocuSign Signature and Invoice" <invoice@nxgndata[.]com>

• Subject: You got invoice from DocuSign Electronic Service
• Subject: You got invoice from DocuSign Electronic Signature Service
• Subject: You got invoice from DocuSign Signature Service
• Subject: You got notification from DocuSign Service
• Subject: You got notification from DocuSign Signature Service
• Subject: You received invoice from DocuSign Electronic Service
• Subject: You received invoice from DocuSign Electronic Signature Service
• Subject: You received invoice from DocuSign Service
• Subject: You received invoice from DocuSign Signature Service
• Subject: You received notification from DocuSign Electronic Service
• Subject: You received notification from DocuSign Electronic Signature Service
• Subject: You received notification from DocuSign Service
• Subject: You received notification from DocuSign Signature Service

 

Shown above:  Malicious Word document downloaded from a link in the malspam.

 

TRAFFIC

Shown above:  Traffic from an infection filtered in Wireshark.

 

LINKS IN THE EMAILS FOR THE WORD DOCUMENT:

• hxxp[:]//babyfurniturewarehouse[.]com?[string of characters]=[encoded string representing recipient's email address]
• hxxp[:]//buildwith307[.]com?[string of characters]=[encoded string representing recipient's email address]
• hxxp[:]//carrythelamp[.]net?[string of characters]=[encoded string representing recipient's email address]
• hxxp[:]//dickswingsgrill[.]com?[string of characters]=[encoded string representing recipient's email address]
• hxxp[:]//freedomtonurse[.]net?[string of characters]=[encoded string representing recipient's email address]
• hxxp[:]//freeholdsurgical[.]net?[string of characters]=[encoded string representing recipient's email address]
• hxxp[:]//freeholdsurgical[.]org?[string of characters]=[encoded string representing recipient's email address]
• hxxp[:]//hnigrp[.]com?[string of characters]=[encoded string representing recipient's email address]
• hxxp[:]//hniltd[.]com?[string of characters]=[encoded string representing recipient's email address]
• hxxp[:]//myyobe[.]biz?[string of characters]=[encoded string representing recipient's email address]
• hxxp[:]//nightingalenurses[.]org?[string of characters]=[encoded string representing recipient's email address]
• hxxp[:]//wingsfinger[.]com?[string of characters]=[encoded string representing recipient's email address]
• hxxp[:]//wingsfingers[.]com?[string of characters]=[encoded string representing recipient's email address]

NETWORK TRAFFIC FROM AN INFECTED LAB HOST:

• 95.213.203[.]60 port 80 - buildwith307[.]com - GET /?[string of characters]=[encoded string representing recipient's email address]
• port 80 - api.ipify[.]org - GET /
• 185.74.255[.]109 port 80 - tebabretof[.]com - POST /ls5/forum.php
• 185.74.255[.]109 port 80 - tebabretof[.]com - POST /mlu/forum.php
• 185.74.255[.]109 port 80 - tebabretof[.]com - POST /d2/about.php
• 192.232.223[.]48 port 80 - gamesfree247[.]info - GET /1
• 192.232.223[.]48 port 80 - gamesfree247[.]info - GET /2
• 192.232.223[.]48 port 80 - gamesfree247[.]info - GET /3
• 192.71.247[.]158 port 443 - ofhahertit[.]com - HTTPS/SSL/TLS traffic from Zeus Panda Banker
• port 443 - google[.]com - connectivity check caused by Zeus Panda Banker

 

FILE HASHES

MALWARE RETRIEVED FROM AN INFECTED WINDOWS HOST:

• SHA256 hash:  60149abf042392e352795c4bb2d731a75332e4bceb0daf83164baa0dcfa0dcd3
  File size:  259,072 bytes
  File name:  invoice_387239.doc [any six random digits for the numbers]
  File description:  Word document with macro for Hancitor

• SHA256 hash:  f6df24d8a669b5ad298a47b9cd7fb2800e46c2cac75ee519955137b7d2abdb6f
  File size:  164,352 bytes
  File location:  C:\Users\[username]\AppData\Local\[existing directory path]\[random name].exe
  File description:  Zeus Panda Banker

 

IMAGES

Shown above:  Zeus Panda Banker persistent on an infected Windows host.

 

Click here to return to the main page.