Malware-Traffic-Analysis.net - 2018-12-18 thru 2018-12-20 - Three days of Hancitor infections, today with Smoke Loader

2018-12-20 - THREE DAYS OF HANCITOR INFECTIONS, TODAY WITH SMOKE LOADER

2018-12-18 INFO:

Original Twitter thread: https://twitter.com/James_inthe_box/status/1075051713093033984
My follow-up Twitter thread: https://twitter.com/malware_traffic/status/1075063156236525569
Vitali Kremez follow-up Twitter thread: https://twitter.com/VK_Intel/status/1075060341485289473

Original paste of indicators: https://pastebin.com/b0zU7VYA
My updates on Pastebin: https://pastebin.com/TFwCaUwr

2018-12-18 FILES:

2018-12-18-Hancitor-malspam-1711-UTC.eml.zip 2.9 kB (2,888 bytes)
2018-12-18-Hancitor-infection-with-Ursnif.pcap.zip 1.2 MB (1,188,876 bytes)
2018-12-18-Hancitor-and-Ursnif-malware.zip 3.4 MB (3,392,008 bytes)

2018-12-19 INFO:

Original Twitter thread: https://twitter.com/James_inthe_box/status/1075418138458578944
My follow-up Twitter thread: https://twitter.com/malware_traffic/status/1075437807831793664
Vitali Kremez follow-up Twitter thread: https://twitter.com/VK_Intel/status/1075511137008009219

Original paste of indicators: https://pastebin.com/LdyVRX2T
My updates on Pastebin: https://pastebin.com/FBb30ANp

2018-12-19 FILES:

2018-12-19-Hancitor-malspam-1709-UTC.eml.zip 1.9 kB (1,949 bytes)
2018-12-19-Hancitor-infection-with-Ursnif.pcap.zip 1 MB (1,045,926 bytes)
2018-12-19-Hancitor-and-Ursnif-malware.zip 3.4 MB (3,391,088 bytes)

2018-12-20 INFO:

Original Twitter thread: https://twitter.com/James_inthe_box/status/1075767229386346496
My follow-up Twitter thread: https://twitter.com/malware_traffic/status/1075782907753578496

Original paste of indicators: https://pastebin.com/7EUu3v4b
My updates on Pastebin: https://pastebin.com/RAUgpPxj

2018-12-20 FILES:

2018-12-20-Hancitor-1st-run-retreives-Pony-EvilPony-Ursnif-and-SmokeLoader.pcap.zip 552 kB (552,107 bytes) No Urnsif or Smokeloader post-infection traffic
2018-12-20-Hancitor-2nd-run-retreives-Pony-EvilPony-Ursnif-and-Ursnif.pcap.zip 1.2 MB (1,171,928 bytes)
2018-12-20-Hancitor-Ursnif-and-Smokeloader-malware.zip 3.4 MB (3,353,356 bytes)

NOTES:

Zip archives are password-protected with the standard password. If you don't know it, look at the "about" page of this website.

Shown above: Flow chart for traffic on the first run.

Shown above: On the first run I saw a 4th URL for follow-up malware that turned out to be Smoke Loader.

Shown above: I tried a second infection less than an hour later, but no Smoke Loader.

Shown above: Here's what Smoke Loader looked like on an infected Windows host.

Click here to return to the main page.