Malware-Traffic-Analysis.net - 2017-11-08 - Hancitor infection with Zeus Panda Banker

2017-11-08 - HANCITOR INFECTION WITH ZEUS PANDA BANKER

NOTICE:

The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

ASSOCIATED FILES:

2017-11-08-Hancitor-infection-with-Zeus-Panda-Banker.pcap.zip 808.3 kB (808,283 bytes)

infection-with-Zeus-Panda-Banker.pcap (1,024,590 bytes)

2017-11-08-Hancitor-malspam-and-Hancitor-malware-and-Zeus-Panda-Banker-EXE.zip 217 kB (217,457 bytes)

2017-11-08-Hancitor-malspam-1648-UTC.eml (1,190 bytes)

2017-11-08-Hancitor-malspam-1708-UTC.eml (1,163 bytes)

2017-11-08-Hancitor-malspam-1735-UTC.eml (1,153 bytes)

2017-11-08-Hancitor-malspam-1835-UTC.eml (1,147 bytes)

search.json.exe (150,016 bytes)

tracking_info_760613.doc (186,368 bytes)

NOTES:

On this Twitter thread, some security professionals discuss today's Hancitor campaign.
See this Pastebin page for some domains and URLs not included in this blog post.

EMAILS

Shown above: Screenshot from one of the emails.

EMAIL HEADERS:

Date/Time: Wednesday 2017-11-08 as early as 16:48 UTC through at least 17:35 UTC
Subject: RE: iPhone X pre-order
From: "SOUL Electronics USA" <order@soulelectronics[.]com>

Received: from soulelectronics[.]com ([104.201.90[.]210])
Received: from soulelectronics[.]com ([12.30.76[.]186])
Received: from soulelectronics[.]com ([136.61.93[.]165])
Received: from soulelectronics[.]com ([173.57.217[.]100])
Received: from soulelectronics[.]com ([187.157.157[.]210])
Received: from soulelectronics[.]com ([203.115.6[.]50])
Received: from soulelectronics[.]com ([207.150.242[.]6])
Received: from soulelectronics[.]com ([207.188.230[.]106])
Received: from soulelectronics[.]com ([209.208.210[.]100])
Received: from soulelectronics[.]com ([43.229.227[.]26])
Received: from soulelectronics[.]com ([46.120.81[.]165])
Received: from soulelectronics[.]com ([47.190.52[.]75])
Received: from soulelectronics[.]com ([69.42.242[.]226])
Received: from soulelectronics[.]com ([69.85.254[.]82])
Received: from soulelectronics[.]com ([70.118.115[.]26])
Received: from soulelectronics[.]com ([70.35.235[.]156])
Received: from soulelectronics[.]com ([74.80.8[.]126])
Received: from soulelectronics[.]com ([75.150.209[.]37])
Received: from soulelectronics[.]com ([76.249.243[.]118])
Received: from soulelectronics[.]com ([97.75.106[.]38])
Received: from soulelectronics[.]com (107-1-172-100-ip-static.hfc.comcastbusiness[.]net [107.1.172[.]100])
Received: from soulelectronics[.]com (216-241-61-98.static-ip.telepacific[.]net [216.241.61[.]98])
Received: from soulelectronics[.]com (23-24-137-153-static.hfc.comcastbusiness[.]net [23.24.137[.]153])
Received: from soulelectronics[.]com (50-242-52-169-static.hfc.comcastbusiness[.]net [50.242.52[.]169])
Received: from soulelectronics[.]com (50-250-6-25-static.hfc.comcastbusiness[.]net [50.250.6[.]25])
Received: from soulelectronics[.]com (50-250-94-177-static.hfc.comcastbusiness[.]net [50.250.94[.]177])
Received: from soulelectronics[.]com (50-253-24-11-static.hfc.comcastbusiness[.]net [50.253.24[.]11])
Received: from soulelectronics[.]com (64.50.123.147.ptr.us.xo[.]net [64.50.123[.]147])
Received: from soulelectronics[.]com (65.23.16.178.nw.nuvox[.]net [65.23.16[.]178])
Received: from soulelectronics[.]com (74-95-66-202-Minnesota.hfc.comcastbusiness[.]net [74.95.66[.]202])
Received: from soulelectronics[.]com (75-138-226-161.dhcp.jcsn.tn.charter[.]com [75.138.226[.]161])
Received: from soulelectronics[.]com (75-148-212-67-Houston.hfc.comcastbusiness[.]net [75.148.212[.]67])
Received: from soulelectronics[.]com (96-38-75-90.static.jcsn.tn.charter[.]com [96.38.75[.]90])
Received: from soulelectronics[.]com (96-88-142-22-static.hfc.comcastbusiness[.]net [96.88.142[.]22])
Received: from soulelectronics[.]com (cmr-208-124-161-114.cr.net.cable.rogers[.]com [208.124.161[.]114])
Received: from soulelectronics[.]com (cpe-static-negastroenterologyofhonesdale-rtr.cmts.haw.ptd[.]net [24.238.61[.]74])
Received: from soulelectronics[.]com (email.howlandpump[.]com [69.193.107[.]42])
Received: from soulelectronics[.]com (hlfxns0169w-142-176-102-132.pppoe-dynamic.high-speed.ns.bellaliant[.]net [142.176.102[.]132])
Received: from soulelectronics[.]com (host-192-111-78-73.EPSOLT4.epbfi[.]com [192.111.78[.]73])
Received: from soulelectronics[.]com (mail.allpointswasteservice[.]com [98.101.85[.]218])
Received: from soulelectronics[.]com (mail.consigliandbrucato[.]com [98.118.62[.]186])
Received: from soulelectronics[.]com (mail.knoxhousingui[.]org [75.149.219[.]189])
Received: from soulelectronics[.]com (mail.lehrmiddlebrooks[.]com [74.254.232[.]226])
Received: from soulelectronics[.]com (mail.pba1873[.]com [99.124.239[.]57])
Received: from soulelectronics[.]com (mail.thebellcenter[.]org [97.78.63[.]250])
Received: from soulelectronics[.]com (rrcs-24-213-182-28.nyc.biz.rr[.]com [24.213.182[.]28])
Received: from soulelectronics[.]com (rrcs-67-52-227-178.west.biz.rr[.]com [67.52.227[.]178])
Received: from soulelectronics[.]com (rrcs-70-63-4-86.central.biz.rr[.]com [70.63.4[.]86])
Received: from soulelectronics[.]com (static-68-236-120-88.bstnma.east.verizon[.]net [68.236.120[.]88])
Received: from soulelectronics[.]com (static-71-175-81-126.phlapa.fios.verizon[.]net [71.175.81[.]126])
Received: from soulelectronics[.]com (static-72-87-95-7.prvdri.fios.verizon[.]net [72.87.95[.]7])
Received: from soulelectronics[.]com (static-98-118-52-168.bstnma.fios.verizon[.]net [98.118.52[.]168])
Received: from soulelectronics[.]com (wsip-184-176-151-108.ph.ph.cox[.]net [184.176.151[.]108])
Received: from soulelectronics[.]com (wsip-184-183-13-36.ph.ph.cox[.]net [184.183.13[.]36])
Received: from soulelectronics[.]com (wsip-70-184-164-23.hr.hr.cox[.]net [70.184.164[.]23])
Received: from soulelectronics[.]com (wsip-98-191-199-122.ok.ok.cox[.]net [98.191.199[.]122])

Shown above: Clicking on a link from one of the emails.

Shown above: Malicious Word document from link in the malspam.

TRAFFIC

Shown above: Traffic from the infection filtered in Wireshark.

LINKS IN THE EMAILS TO THE WORD DOCUMENT:

hxxp[:]//attorneylove[.]com
hxxp[:]//captainspeedy[.]com
hxxp[:]//johnsanna[.]com
hxxp[:]//mobileevolution[.]net
hxxp[:]//nominateattorneys[.]com
hxxp[:]//phonefix[.]guru
hxxp[:]//phonefix[.]repair
hxxp[:]//topattorneysofna[.]com
hxxp[:]//whoswhodirectories[.]com
hxxp[:]//wwdirectories[.]com

NETWORK TRAFFIC FROM MY INFECTED LAB HOST:

45.76.92[.]24 port 80 - phonefix[.]guru - GET /
port 80 - api.ipify[.]org - IP address check by the infected Windows host
185.187.90[.]38 port 80 - parhecotevent[.]com - POST /ls5/forum.php
185.187.90[.]38 port 80 - parhecotevent[.]com - POST /mlu/forum.php
185.187.90[.]38 port 80 - parhecotevent[.]com - POST /d2/about.php
27.254.142[.]193 port 80 - bamrungrak[.]ac[.]th - GET /wp-content/plugins/disable-comments/1
27.254.142[.]193 port 80 - bamrungrak[.]ac[.]th - GET /wp-content/plugins/disable-comments/2
27.254.142[.]193 port 80 - bamrungrak[.]ac[.]th - GET /wp-content/plugins/disable-comments/3
185.174.173[.]6 port 443 - henfobuthis[.]com - HTTPS/SSL/TLS traffic caused by Zeus Panda Banker
port 80 - google[.]com - Connectivity check by Zeus Panda Banker
port 80 - www.google[.]com - Connectivity check by Zeus Panda Banker
port 443 - www.google[.]com - Connectivity check by Zeus Panda Banker

FILE HASHES

WORD DOCUMENT FROM LINK IN THE EMAIL:

SHA256 hash: 45ce33d3461844999b883db1b54a51a37ac85115f17aea24906be23362562235
File name: tracking_info_[six random digits].doc (for example: tracking_info_760613.doc)
File size: 186,368 bytes
File description: Microsoft Word document with malicious macro for Hancitor

MALWARE RETRIEVED FROM THE INFECTED HOST:

SHA256 hash: 477ee5f96261a841dac846a4ad22520db4f9630edf3082f23846f70642d3bff3
File location: C:\Users\[username]\AppData\Roaming\[random existing path]\[random name].exe
File size: 150,016 bytes
File description: Zeus Panda Banker

IMAGES

Shown above: Zeus Panda Banker made persistent on the infected host.

Click here to return to the main page.