2018-07-16 - QUICK POST: HANCITOR INFECTION WITH ZEUS PANDA BANKER (AND AZORULT)

ASSOCIATED FILES:

• 2018-07-16-Hancitor-malspam-32-email-examples.txt.zip   8.7 kB (8,699 bytes)
• 2018-07-16-Hancitor-malspam-infection-traffic.pcap.zip   4.3 MB (4,333,660 bytes)
• 2018-07-16-files-from-host-infected-with-Hancitor.zip   2.6 MB (2,589,839 bytes)

 

NOTES:

• New traffic noted during today's Hancitor infection...
• Thanks to @mesa_matt for quickly identifying this as AZORult-style traffic (link to his tweet).
• Unfortunately, I was unable to find an AZORult binary on my infected lab host.

 

IMAGES

Shown above:  Infection traffic filtered in Wirehshark.

 

Shown above:  This popped up (and quickly dissappeared) in the user's AppData\Local\Temp directory.

 

FINAL NOTES

Once again, here are the associated files:

• 2018-07-16-Hancitor-malspam-32-email-examples.txt.zip   8.7 kB (8,699 bytes)
• 2018-07-16-Hancitor-malspam-infection-traffic.pcap.zip   4.3 MB (4,333,660 bytes)
• 2018-07-16-files-from-host-infected-with-Hancitor.zip   2.6 MB (2,589,839 bytes)

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.