2018-12-05 - QUICK POST: MALSPAM PUSHING HANCITOR
- 2018-12-05-Hancitor-malspam-1606-UTC.eml.zip 2.5 kB (2,456 bytes)
- 2018-12-05-Hancitor-infection-with-Ursnif.pcap.zip 1.1 MB (1,077,722 bytes)
- 2018-12-05-malware-and-artifacts-from-Hancitor-infection.zip 1.6 MB (1,574,249 bytes)
- Last week on 2018-11-29, Hancitor changed it's macro code as shown here: Campaign evolution: Hancitor changes its Word macros.
- However, today it's back to the previous style of macro and dropping 6.pif and 6.exe
- Hancitor is still pushing Ursnif instead of Zeus Panda Banker, which it's been doing since October 2018.
- Zip archives are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Shown above: Infection traffic filtered in Wireshark.
Shown above: Back to the previous style of infection (older macros last seen in Oct 2018 before Hancitor's 1-month haitus).
Click here to return to the main page.