2018-12-20 - THREE DAYS OF HANCITOR INFECTIONS, TODAY WITH SMOKE LOADER
2018-12-18 INFO:
- Original Twitter thread: https://twitter.com/James_inthe_box/status/1075051713093033984
- My follow-up Twitter thread: https://twitter.com/malware_traffic/status/1075063156236525569
- Vitali Kremez follow-up Twitter thread: https://twitter.com/VK_Intel/status/1075060341485289473
- Original paste of indicators: https://pastebin.com/b0zU7VYA
- My updates on Pastebin: https://pastebin.com/TFwCaUwr
2018-12-18 FILES:
- 2018-12-18-Hancitor-malspam-1711-UTC.eml.zip 2.9 kB (2,888 bytes)
- 2018-12-18-Hancitor-infection-with-Ursnif.pcap.zip 1.2 MB (1,188,876 bytes)
- 2018-12-18-Hancitor-and-Ursnif-malware.zip 3.4 MB (3,392,008 bytes)
2018-12-19 INFO:
- Original Twitter thread: https://twitter.com/James_inthe_box/status/1075418138458578944
- My follow-up Twitter thread: https://twitter.com/malware_traffic/status/1075437807831793664
- Vitali Kremez follow-up Twitter thread: https://twitter.com/VK_Intel/status/1075511137008009219
- Original paste of indicators: https://pastebin.com/LdyVRX2T
- My updates on Pastebin: https://pastebin.com/FBb30ANp
2018-12-19 FILES:
- 2018-12-19-Hancitor-malspam-1709-UTC.eml.zip 1.9 kB (1,949 bytes)
- 2018-12-19-Hancitor-infection-with-Ursnif.pcap.zip 1 MB (1,045,926 bytes)
- 2018-12-19-Hancitor-and-Ursnif-malware.zip 3.4 MB (3,391,088 bytes)
2018-12-20 INFO:
- Original Twitter thread: https://twitter.com/James_inthe_box/status/1075767229386346496
- My follow-up Twitter thread: https://twitter.com/malware_traffic/status/1075782907753578496
- Original paste of indicators: https://pastebin.com/7EUu3v4b
- My updates on Pastebin: https://pastebin.com/RAUgpPxj
2018-12-20 FILES:
- 2018-12-20-Hancitor-1st-run-retreives-Pony-EvilPony-Ursnif-and-SmokeLoader.pcap.zip 552 kB (552,107 bytes) No Urnsif or Smokeloader post-infection traffic
- 2018-12-20-Hancitor-2nd-run-retreives-Pony-EvilPony-Ursnif-and-Ursnif.pcap.zip 1.2 MB (1,171,928 bytes)
- 2018-12-20-Hancitor-Ursnif-and-Smokeloader-malware.zip 3.4 MB (3,353,356 bytes)
NOTES:
- Zip archives are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Shown above: Flow chart for traffic on the first run.
Shown above: On the first run I saw a 4th URL for follow-up malware that turned out to be Smoke Loader.
Shown above: I tried a second infection less than an hour later, but no Smoke Loader.
Shown above: Here's what Smoke Loader looked like on an infected Windows host.
Click here to return to the main page.