2018-05-01 - HANCITOR MALSPAM - FAKE U.S. BANK NOTIFICATIONS
ASSOCIATED FILES:
- Zip archive of the traffic: 2018-05-01-Hancitor-malspam-infection-traffic.pcap.zip 582 kB (582,423 bytes)
- 2018-05-01-Hancitor-malspam-infection-traffic.pcap (784,611 bytes)
- Zip archive of the emails: 2018-05-01-Hancitor-malspam-60-email-examples.txt.zip 39 kB (39,209 bytes)
- 2018-05-01-Hancitor-malspam-60-email-examples.txt (1,296,449 bytes)
- Zip archive of the malware: 2018-05-01-Hancitor-infection-artifacts.zip 307 kB (306,518 bytes)
- 2018-05-01-Word-doc-with-macro-for-Hancitor.doc (276,480 bytes)
- 2018-05-01-Zeus-Panda-Banker-from-Hancitor.exe (168,448 bytes)
NOTES:
- The block list contains additional info reported by @Techhelplistcom in the VirusTotal entry for the associated Word Document.
- As always, my thanks to everyone who keeps an eye on this malspam and reports about it near-real-time on Twitter.
Shown above: Flow chart for a typical Hancitor malspam infection.
WEB TRAFFIC BLOCK LIST
Indicators are not a block list. If you feel the need to block web traffic, I suggest the following domains and URLs:
- actuneupca.com
- chiropracticlibrary.com
- clifmays.com
- gamification4you.com
- ifewholehousefan.com
- ifewholehousefan.net
- ifewholehousefans.com
- ifewholehousefans.info
- ifewholehousefans.net
- interfaithelectricandsolar.co
- interfaithelectricnsolar.co
- lmperfumes.com
- spinalrt.com
- superiorcomfortprohvac.com
- superiorhvacuniversity.com
- triadhangout.com
- triadpain.com
- triadpaingroup.com
- supratparfa.com
- losupsofof.ru
- depeparand.ru
- hxxp://kdprvirtual.com/wp-content/plugins/duplicate-post/1
- hxxp://kdprvirtual.com/wp-content/plugins/duplicate-post/2
- hxxp://kdprvirtual.com/wp-content/plugins/duplicate-post/3
- hxxp://animalhealthcenterinc.com/wp-content/plugins/post-expirator/1
- hxxp://animalhealthcenterinc.com/wp-content/plugins/post-expirator/2
- hxxp://animalhealthcenterinc.com/wp-content/plugins/post-expirator/3
- hxxp://rogersonenterprises.com/blog/wp-content/plugins/jetpack/1
- hxxp://rogersonenterprises.com/blog/wp-content/plugins/jetpack/2
- hxxp://rogersonenterprises.com/blog/wp-content/plugins/jetpack/3
- hxxp://militaryschools101.com/wp-content/plugins/nofollow-for-external-link/1
- hxxp://militaryschools101.com/wp-content/plugins/nofollow-for-external-link/2
- hxxp://militaryschools101.com/wp-content/plugins/nofollow-for-external-link/3
- hxxp://bestwptricks.com/wp-content/plugins/polldaddy/1
- hxxp://bestwptricks.com/wp-content/plugins/polldaddy/2
- hxxp://bestwptricks.com/wp-content/plugins/polldaddy/3
- bithetbuter.ru
EMAILS
Shown above: Screenshot from one of the emails.
EMAIL HEADERS:
- Date/Time: Tuesday 2018-05-01 as early as 14:35 UTC through at least 19:20 UTC
- Received: from stjamesmac.com ([12.71.215.234])
- Received: from stjamesmac.com ([12.154.171.180])
- Received: from stjamesmac.com ([12.192.193.186])
- Received: from stjamesmac.com ([23.24.72.250])
- Received: from stjamesmac.com ([23.30.139.233])
- Received: from stjamesmac.com ([24.18.144.193])
- Received: from stjamesmac.com ([24.172.35.186])
- Received: from stjamesmac.com ([24.178.178.233])
- Received: from stjamesmac.com ([24.197.23.194])
- Received: from stjamesmac.com ([24.227.60.226])
- Received: from stjamesmac.com ([24.94.233.117])
- Received: from stjamesmac.com ([40.79.56.104])
- Received: from stjamesmac.com ([50.76.68.94])
- Received: from stjamesmac.com ([50.225.140.58])
- Received: from stjamesmac.com ([50.246.140.38])
- Received: from stjamesmac.com ([50.253.24.13])
- Received: from stjamesmac.com ([50.255.162.73])
- Received: from stjamesmac.com ([65.117.102.66])
- Received: from stjamesmac.com ([65.95.68.185])
- Received: from stjamesmac.com ([66.64.45.22])
- Received: from stjamesmac.com ([67.214.241.54])
- Received: from stjamesmac.com ([67.214.247.194])
- Received: from stjamesmac.com ([68.119.229.151])
- Received: from stjamesmac.com ([68.236.120.88])
- Received: from stjamesmac.com ([69.54.28.220])
- Received: from stjamesmac.com ([69.193.167.218])
- Received: from stjamesmac.com ([70.62.248.246])
- Received: from stjamesmac.com ([70.88.160.174])
- Received: from stjamesmac.com ([70.102.68.117])
- Received: from stjamesmac.com ([71.14.25.46])
- Received: from stjamesmac.com ([71.45.207.173])
- Received: from stjamesmac.com ([71.201.16.43])
- Received: from stjamesmac.com ([72.82.24.25])
- Received: from stjamesmac.com ([72.84.234.140])
- Received: from stjamesmac.com ([73.227.133.179])
- Received: from stjamesmac.com ([74.65.197.73])
- Received: from stjamesmac.com ([74.69.184.228])
- Received: from stjamesmac.com ([75.139.49.124])
- Received: from stjamesmac.com ([75.146.90.69])
- Received: from stjamesmac.com ([75.149.57.254])
- Received: from stjamesmac.com ([96.37.147.182])
- Received: from stjamesmac.com ([96.38.67.251])
- Received: from stjamesmac.com ([96.53.20.90])
- Received: from stjamesmac.com ([96.82.248.185])
- Received: from stjamesmac.com ([96.92.93.193])
- Received: from stjamesmac.com ([97.77.98.2])
- Received: from stjamesmac.com ([98.101.194.106])
- Received: from stjamesmac.com ([104.201.90.210])
- Received: from stjamesmac.com ([173.8.67.169])
- Received: from stjamesmac.com ([173.12.134.65])
- Received: from stjamesmac.com ([173.219.61.189])
- Received: from stjamesmac.com ([173.220.58.194])
- Received: from stjamesmac.com ([174.80.66.187])
- Received: from stjamesmac.com ([184.71.42.34])
- Received: from stjamesmac.com ([199.10.29.18])
- Received: from stjamesmac.com ([207.119.219.225])
- Received: from stjamesmac.com ([216.26.206.112])
- Received: from stjamesmac.com ([216.130.144.155])
- From: "U.S. Bank Online " <usbank@stjamesmac.com>
- From: "U.S. Bank Online Banking" <usbank@stjamesmac.com>
- Subject: U.S. Bank Alert
- Subject: U.S. Bank Message
- Subject: U.S. Bank Notice
- Subject: U.S. Bank Notification
Shown above: Malicious Word document downloaded from link in the malspam.
TRAFFIC
Shown above: Traffic from an infection filtered in Wireshark.
LINKS IN THE EMAILS TO DOWNLOAD THE WORD DOCUMENT:
- hxxp://actuneupca.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://chiropracticlibrary.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://clifmays.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://gamification4you.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://ifewholehousefan.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://ifewholehousefan.net?[string of characters]=[encoded string representing recipient's email address]
- hxxp://ifewholehousefans.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://ifewholehousefans.info?[string of characters]=[encoded string representing recipient's email address]
- hxxp://ifewholehousefans.net?[string of characters]=[encoded string representing recipient's email address]
- hxxp://interfaithelectricandsolar.co?[string of characters]=[encoded string representing recipient's email address]
- hxxp://interfaithelectricnsolar.co?[string of characters]=[encoded string representing recipient's email address]
- hxxp://lmperfumes.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://spinalrt.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://superiorcomfortprohvac.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://superiorhvacuniversity.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://triadhangout.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://triadpain.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://triadpaingroup.com?[string of characters]=[encoded string representing recipient's email address]
NETWORK TRAFFIC FROM AN INFECTED LAB HOST:
- 35.187.117.14 port 80 - gamification4you.com - GET /?[string of characters]=[encoded string representing recipient's email address]
- port 80 - api.ipify.org - GET /
- 185.220.33.217 port 80 - supratparfa.com - POST /4/forum.php
- 185.220.33.217 port 80 - supratparfa.com - POST /mlu/about.php
- 185.220.33.217 port 80 - supratparfa.com - POST /d2/about.php
- 50.87.150.104 port 80 - kdprvirtual.com - GET /wp-content/plugins/duplicate-post/1
- 50.87.150.104 port 80 - kdprvirtual.com - GET /wp-content/plugins/duplicate-post/2
- 50.87.150.104 port 80 - kdprvirtual.com - GET /wp-content/plugins/duplicate-post/3
- 146.120.110.14 port 443 - bithetbuter.ru - HTTPS/SSL/TLS traffic caused by Zeus Panda Banker
- port 80 - www.google.com - HTTPS/SSL/TLS traffic - probable connectivity check caused by Zeus Panda Banker
FILE HASHES
MALWARE RETRIEVED FROM AN INFECTED WINDOWS HOST:
- SHA256 hash: d2a812fbc44b5612d39806a96631b36f5b98c93458e49eb4f0ace42b6b8d6c66
File size: 276,480 bytes
File name: invoice_231078.doc [any six random digits for the numbers]
File description: Word document with macro for Hancitor
- SHA256 hash: 93930920ab4fab2dac0978c390b59cd6a6cb037c1faf404c0bdbe1e2f575fd2c
File size: 168,448 bytes
File location: C:\Users\[username]\AppData\Roaming\[existing directory path]\[random name].exe
File description: Zeus Panda Banker
Shown above: Zeus Panda Banker persistent on the infected Windows host.
FINAL NOTES
Once again, here are the associated files:
- Zip archive of the traffic: 2018-05-01-Hancitor-malspam-infection-traffic.pcap.zip 582 kB (582,423 bytes)
- Zip archive of the emails: 2018-05-01-Hancitor-malspam-60-email-examples.txt.zip 39 kB (39,209 bytes)
- Zip archive of the malware: 2018-05-01-Hancitor-infection-artifacts.zip 307 kB (306,518 bytes)
Zip archives are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.