2021-05-13 (THURSDAY) - HANCITOR WITH FICKER STEALER AND COBALT STRIKE
ASSOCIATED FILES:
- 2021-05-13-IOCs-from-Hancitor.txt.zip 3.7 kB (3,727 bytes)
- 2021-05-13-Hancitor-malspam-11-examples.zip 26.8 kB (26,760 bytes)
- 2021-05-13-Hancitor-traffic-with-Ficker-Stealer-and-Cobalt-Strike.pcap.zip 9.0 MB (9,047,623 bytes)
- 2021-05-13-Hancitor-malware-samples.zip 11.5 MB (11,536,304 bytes)
REFERENCES:
NOTES:
- All zip archives on this site are password-protected. If you don't know the password, see the "about" page of this website.
- Victim's Active Directory (AD) environment from the pcap:
- Victim's LAN segment range: 10.0.0.0/24 (10.0.0.0 through 10.0.0.255
- Victim's Domain: sunbattleaxes.com
- Victim's Domain controller: 10.0.0.2 - BattleAx-DC
- LAN segment gateway: 10.0.0.1
- LAN segment broadcast address: 10.0.0.255
- IP address of the infected Windows host: 10.0.0.101
- Host name of the infected Windows host: DESKTOP-UGSXCLB
- User account name on the infected Windows host: albert.hamstein
IMAGES
Shown above: Traffic from the infection filtered in Wireshark.
Click here to return to the main page.