2018-03-07 - HANCITOR INFECTION WITH ZEUS PANDA BANKER

NOTICE:

ASSOCIATED FILES:

  • 2018-03-07-Hancitor-infection-traffic.pcap   (2,484,788 bytes)
  • 2018-03-07-Zeus-Panda-Banker-infection-traffic.pcap   (15,218 bytes)
  • 2018-03-07-Hancitor-malspam-26-examples.txt   (442,183 bytes)
  • 2018-03-07-Hancitor-maldoc-invoice_276194.doc   (226,304 bytes)
  • 2018-03-07-Zeus-Panda-Banker.exe   (163,840 bytes)

NOTES:


Shown above:  Screenshot from one of the emails.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains and URLs:

 

EMAILS


Shown above:  Screenshot from one of the emails.

 

EMAIL HEADERS:

 


Shown above:  Clicking on a link from one of the malspam examples.

 


Shown above:  Malicious Word document downloaded from link in the malspam.

 

TRAFFIC


Shown above:  Traffic from an infection filtered in Wireshark.

 


Shown above:  Zeus Panda Banker traffic filtered in Wireshark.

 

LINKS IN THE EMAILS FOR THE WORD DOCUMENT:

NETWORK TRAFFIC FROM AN INFECTED LAB HOST:

 

FILE HASHES

MALWARE RETRIEVED FROM AN INFECTED WINDOWS HOST:

 

IMAGES


Shown above:  Zeus Panda Banker persistent on an infected Windows host.

 

Click here to return to the main page.