2018-07-09 - HANCITOR MALSPAM INFECTION TRAFFIC WITH ZEUS PANDA BANKER
ASSOCIATED FILES:
- 2018-07-09-Hancitor-malspam-1506-UTC.eml.zip 2.0 kB (2,040 bytes)
- 2018-07-09-Hancitor-malspam-1506-UTC.eml (6.048 bytes)
- 2018-07-09-Hancitor-malspam-infection-traffic.pcap.zip 2.4 MB (2,358,362 bytes)
- 2018-07-09-Hancitor-malspam-infection-traffic.pcap (2,963,326 bytes)/li>
- 2018-07-09-malware-from-Hancitor-infection.zip 270 kB (270,402 bytes)
- 2018-07-09-Hancitor-binary-6C.pif.exe (56,320 bytes)
- 2018-07-09-Zeus-Panda-Banker-caused-by-Hancitor-infection.exe (172,544 bytes)
- 2018-07-09-downloaded-Word-doc-with-macro-for-Hancitor.doc (181,760 bytes)
NOTES:
- As always, thanks to @Techhelplist, @James_inthe_box, and the many others who keep a close eye on this. Their info helps make my blog posts more complete.
- And thanks to everyone who contributed to the discussion thread on Twitter when I was having problems downloading the initial Word document.
Shown above: Flow chart for today's Hancitor malspam infection.
WEB TRAFFIC BLOCK LIST
Indicators are not a block list. If you feel the need to block web traffic, I suggest the following domain and URLs:
- altilium.com
- altilium.net
- dryerventwizardcanada.biz
- getlintout.biz
- getthelintout.info
- pbtmail.com
- pbtmail.net
- thedryerventwizard.biz
- thedryerventwizard.ca
- wegetthelintout.ca
- wegetthelintout.net
- hinwasslysed.com
- harforusero.ru
- berofaked.ru
- hxxp://realeverydaybusiness.com/wp-content/plugins/jetpack-popular-posts/1
- hxxp://realeverydaybusiness.com/wp-content/plugins/jetpack-popular-posts/2
- hxxp://realeverydaybusiness.com/wp-content/plugins/jetpack-popular-posts/3
- hxxp://ourfamilyhome.biz/wp-content/plugins/formget-contact-form/inc/1
- hxxp://ourfamilyhome.biz/wp-content/plugins/formget-contact-form/inc/2
- hxxp://ourfamilyhome.biz/wp-content/plugins/formget-contact-form/inc/3
- hxxp://scientificservicesinc.com/wp-content/plugins/themestarta/1
- hxxp://scientificservicesinc.com/wp-content/plugins/themestarta/2
- hxxp://scientificservicesinc.com/wp-content/plugins/themestarta/3
- hxxp://psychprofiler.com/wp-content/plugins/limit-login-attempts/1
- hxxp://psychprofiler.com/wp-content/plugins/limit-login-attempts/2
- hxxp://psychprofiler.com/wp-content/plugins/limit-login-attempts/3
- hxxp://thewordspoken.org/wp-content/plugins/backupwordpress/1
- hxxp://thewordspoken.org/wp-content/plugins/backupwordpress/2
- hxxp://thewordspoken.org/wp-content/plugins/backupwordpress/3
- myaningmuchme.ru
EMAILS
Shown above: Example of the malspam.
EMAIL HEADERS FROM TODAY'S HANCITOR MALSPAM EXAMPLE:
Received: from abramscpa.com ([173.51.132.44]) by [removed] for [removed];
Mon, 09 Jul 2018 15:06:40 +0000 (UTC)
Message-ID: <1C2ED6EA.ACEFB0C6@abramscpa.com>
Date: Mon, 09 Jul 2018 08:06:43 -0700
Reply-To: "HelloFax" <hellofax@abramscpa.com>
From: "HelloFax Inc." <hellofax@abramscpa.com>
X-Mailer: Apple Mail (2.1990.1)
MIME-Version: 1.0
TO: [removed]
Subject: HelloFax, Here is Your Fax
Content-Type: text/html;
charset="utf-8"
Content-Transfer-Encoding: 7bit
Shown above: Word doc downloaded from link in the malspam.
INFECTION TRAFFIC
Shown above: Traffic from an infection filtered in Wireshark.
LINKS IN THE EMAILS TO DOWNLOAD THE MALICIOUS WORD DOCUMENT:
- hxxp://altilium.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://altilium.net?[string of characters]=[encoded string representing recipient's email address]
- hxxp://dryerventwizardcanada.biz?[string of characters]=[encoded string representing recipient's email address]
- hxxp://getlintout.biz?[string of characters]=[encoded string representing recipient's email address]
- hxxp://getthelintout.info?[string of characters]=[encoded string representing recipient's email address]
- hxxp://pbtmail.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://pbtmail.net?[string of characters]=[encoded string representing recipient's email address]
- hxxp://thedryerventwizard.biz?[string of characters]=[encoded string representing recipient's email address]
- hxxp://thedryerventwizard.ca?[string of characters]=[encoded string representing recipient's email address]
- hxxp://wegetthelintout.ca?[string of characters]=[encoded string representing recipient's email address]
- hxxp://wegetthelintout.net?[string of characters]=[encoded string representing recipient's email address]
NETWORK TRAFFIC FROM AN INFECTED LAB HOST:
- 95.213.237.64 port 80 - getlintout.biz - GET /?[string of characters]=[encoded string representing recipient's email address]
- port 80 - api.ipify.org - GET /
- 91.227.68.173 port 80 - hinwasslysed.com - POST /4/forum.php
- 91.227.68.173 port 80 - hinwasslysed.com - POST /mlu/about.php
- 91.227.68.173 port 80 - hinwasslysed.com - POST /d2/about.php
- 69.195.124.61 port 80 - realeverydaybusiness.com - GET /wp-content/plugins/jetpack-popular-posts/1
- 69.195.124.61 port 80 - realeverydaybusiness.com - GET /wp-content/plugins/jetpack-popular-posts/2
- 69.195.124.61 port 80 - realeverydaybusiness.com - GET /wp-content/plugins/jetpack-popular-posts/3
- 5.188.232.238 port 443 - myaningmuchme.ru - HTTPS/SSL/TLS traffic caused by Zeus Panda Banker
- port 80 - www.google.com - HTTPS/SSL/TLS traffic - probable connectivity check caused by Zeus Panda Banker
MALWARE
MALWARE RETRIEVED FROM MY INFECTED LAB HOST:
- SHA256 hash: 687582d32b7c7603a334f5e30d5f5a335624a1a19200980ec2951a205a88acb2
File size: 181,760 bytes
File name: fax_[six random digits].doc
File description: Downloaded Word doc with macro for Hancitor
- SHA256 hash: 4ba21629c84a89c6d2d5c52abcd110c551a5f9fe9008c7f0e6b43ecde0cca1f0
File size: 56,320 bytes
File location: C:\Users\[username]\AppData\Local\Temp\6C.pif
File description: Hancitor malware binary
- SHA256 hash: 111b67b802426c2e94e933761cbb6168a6730c99849244e518d11e1474218088
File size: 172,544 bytes
File location: C:\Users\[username]\AppData\Roaming\[existing directory path]\[random name].exe
File description: Zeus Panda banker caused by Hancitor infection
FINAL NOTES
Once again, here are the associated files:
- 2018-07-09-Hancitor-malspam-1506-UTC.eml.zip 2.0 kB (2,040 bytes)
- 2018-07-09-Hancitor-malspam-infection-traffic.pcap.zip 2.4 MB (2,358,362 bytes)
- 2018-07-09-malware-from-Hancitor-infection.zip 270 kB (270,402 bytes)
Zip archives are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.