2018-08-16 - HANCITOR INFECTION TRAFFIC WITH ZEUS PANDA BANKER
ASSOCIATED FILES:
- 2018-08-16-Hancitor-malspam-example.eml.zip 2 kB (2,031 bytes)
- 2018-08-16-Hancitor-malspam-infection-traffic.pcap.zip 526 kB (525,810 bytes)
- 2018-08-16-malware-from-Hancitor-infection.zip 333 kB (333,331 bytes)
NOTES:
- The block list contains additional info first reported in the VirusBay entry for the associated Word document, as well as some other sources.
- As always, my thanks to everyone who keeps an eye on this malspam and reports about it near-real-time on Twitter.
Shown above: Flow chart for a typical Hancitor malspam infection.
WEB TRAFFIC BLOCK LIST
Indicators are not a block list. If you feel the need to block web traffic, I suggest the following domains and URLs:
- backhomebail.com
- biggaybrunch.info
- biggaybrunch.net
- biggaybrunch.org
- clearrochester.com
- dtvrochester.com
- gaymovetodenver.com
- glbtmovetodenver.com
- hatcreekurnco.com
- lgbtmovetodenver.com
- omnibox.me
- omnibox.mobi
- outcolorado.info
- outcolorado.net
- outcolorado.org
- smarthomeiconnect.com
- wildblueny.com
- hxxp://alyssaritchey.com/wp-content/plugins/title-remover/1
- hxxp://alyssaritchey.com/wp-content/plugins/title-remover/2
- hxxp://alyssaritchey.com/wp-content/plugins/title-remover/3
- hxxp://community-growth.org/wp-content/plugins/cryout-theme-settings/inc/1
- hxxp://community-growth.org/wp-content/plugins/cryout-theme-settings/inc/2
- hxxp://community-growth.org/wp-content/plugins/cryout-theme-settings/inc/3
- hxxp://taxgals.com/wp-content/themes/twentythirteen/inc/1
- hxxp://taxgals.com/wp-content/themes/twentythirteen/inc/2
- hxxp://taxgals.com/wp-content/themes/twentythirteen/inc/3
- soutmestiho.com
- enbetishect.ru
- gesinaleft.ru
- inghapwilhe.ru
HEADERS FROM A MALSPAM EXAMPLE
Shown above: Screenshot from one of the emails.
Received: from fallsgrovedentistry.com ([65.98.129.162]) by [removed] for [removed];
Thu, 16 Aug 2018 17:33:44 +0000 (UTC)
Message-ID: <69C3514D.706FA590@fallsgrovedentistry.com>
Date: Thu, 16 Aug 2018 10:33:46 -0700
Reply-To: "AT&T Inc. " <att@fallsgrovedentistry.com>
From: "AT&T Inc. " <att@fallsgrovedentistry.com>
X-Mailer: iPhone Mail (11D201)
X-Accept-Language: en-us
MIME-Version: 1.0
TO: [removed]
Subject: Your wireless invoice notification from AT&T
Shown above: Malicious Word document downloaded from link in the malspam.
TRAFFIC
LINKS IN THE EMAILS TO DOWNLOAD THE WORD DOCUMENT:
- hxxp://backhomebail.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://biggaybrunch.info?[string of characters]=[encoded string representing recipient's email address]
- hxxp://biggaybrunch.net?[string of characters]=[encoded string representing recipient's email address]
- hxxp://biggaybrunch.org?[string of characters]=[encoded string representing recipient's email address]
- hxxp://clearrochester.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://dtvrochester.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://gaymovetodenver.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://glbtmovetodenver.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://hatcreekurnco.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://lgbtmovetodenver.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://omnibox.me?[string of characters]=[encoded string representing recipient's email address]
- hxxp://omnibox.mobi?[string of characters]=[encoded string representing recipient's email address]
- hxxp://outcolorado.info?[string of characters]=[encoded string representing recipient's email address]
- hxxp://outcolorado.net?[string of characters]=[encoded string representing recipient's email address]
- hxxp://outcolorado.org?[string of characters]=[encoded string representing recipient's email address]
- hxxp://smarthomeiconnect.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://wildblueny.com?[string of characters]=[encoded string representing recipient's email address]
Shown above: Traffic from an infection filtered in Wireshark.
Shown above: Traffic from from failed TCP connections by soutmestiho.com filtered in Wireshark.
TRAFFIC FROM AN INFECTED WINDOWS HOST:
- 95.213.237.64 port 80 - outcolorado.info - GET /?[string of characters]=[encoded string representing recipient's email address]
- port 80 - api.ipify.org - GET /
- 178.208.80.127 port 80 - soutmestiho.com - Attempted TCP connections, but no response or RST from the server
- 77.246.145.8 port 80 - enbetishect.ru - POST /4/forum.php
- 77.246.145.8 port 80 - enbetishect.ru - POST /mlu/about.php
- 77.246.145.8 port 80 - enbetishect.ru - POST /d2/about.php
- 192.185.17.127 port 80 - community-growth.org - GET /wp-content/plugins/cryout-theme-settings/inc/1
- 192.185.17.127 port 80 - community-growth.org - GET /wp-content/plugins/cryout-theme-settings/inc/2
- 192.185.17.127 port 80 - community-growth.org - GET /wp-content/plugins/cryout-theme-settings/inc/3
- 185.7.30.147 port 443 - inghapwilhe.ru - HTTPS/SSL/TLS traffic [Zeus Panda Banker]
- port 443 - www.google.com - connectivity check by infected Windows host [Zeus Panda Banker]
FILE HASHES
MALWARE RETRIEVED FROM MY INFECTED WINDOWS HOST:
- SHA256 hash: e1a2cdab779ee1237c638fea4b9d4dca0591d16f9e4fc208a7486fd6d26523cf
File size: 201,216 bytes
File name: invoice_142098.doc (random file names)
File description: Word doc downloaded from a link in Hancitor malspam. Doc has macro to retreive Hancitor.
- SHA256 hash: a388a50081111d0252eb4c638421ad6b5d13dee6f2e374b0c3a40138227f9ac0
File size: 58,880 bytes
File location: C:\Users\[username]\AppData\Local\Temp\6.exe
File location: C:\Users\[username]\AppData\Local\Temp\6.pif
File description: Hancitor malware binary retrieved by macro in downloaded Word doc
- SHA256 hash: ad7b21f9c14c49ea28f7e98a8e3b44973446342537d9817ec91c13681bae0023
File size: 218,624 bytes
File location: C:\Users\[username]\AppData\Roaming\[existing directory path]\[random file name].exe
File description: Zeus Panda Banker on 2018-08-16 caused by Hancitor infection
FINAL NOTES
Once again, here are the associated files:
- 2018-08-16-Hancitor-malspam-example.eml.zip 2 kB (2,031 bytes)
- 2018-08-16-Hancitor-malspam-infection-traffic.pcap.zip 526 kB (525,810 bytes)
- 2018-08-16-malware-from-Hancitor-infection.zip 333 kB (333,331 bytes)
Zip archives are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.